Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win Xpprosp2 Trojan Infection


  • Please log in to reply
5 replies to this topic

#1 Rick Sirocco

Rick Sirocco

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 06 June 2006 - 04:09 PM

Thank you for any help! :thumbsup:

I recently became infected with a number of viruses and have finally cleaned out all but 2. They are Trojan-Backdoor-Haxdoor & Trojan-Downloader-Terula.
I am running WinXPproSP2 and am using Maxthon as my browser on an SBC DSL connection. I am using Avast Virus program, SpywareBlaster, Spybot S&D (always gets stuck at WWWCoolSearch), Spysweeper, AdAware & most recently Webroot Desktop Firewall.

I followed the steps outlined in the "Bleeping Computer" introduction. All went Ok except for the Micro Trend Housecall feature which did not seem to finish. It finished Step 2 and gave me a long list of venerabilities. I read about each one and downloaded the patches. Housecall never got to Step 3 and there were no instructions on the screen other than the list of venerabilities.
I disconnected from the internet. I attempted to run the patches but was dumped to a screen that did a physical memory dump. This occured 6 times before I gave up. I then rebooted.

I then ran Spysweeper, AdAware se & Avast. Spysweeper picked up the 2 above listed Trojans and does so every time I turn my computer on.

Also, I am now using the Webroot Desktop Firewall on a 30 day trial. Each time I turn on my computer the following file attempts to access the internet (which my firewall allows me to block) -

c:\programfiles\support.com\bin\Tgcmd.exe

When establishing a connection to the internet, when I click 'connect', the following file attempts to access the internet (which my firewall allows me to block) -

c:\windows\system32\svchost.exe

After establishing a connection, when I execute Maxthon the following file attemps to access the Internet (which my firewall allows me to block) -

c:\windows\system32\services.exe

After being on the internet approximately 20 minutes the following file attemps to access the Internet (which my firewall allows me to block) -

c:\programfiles\broadjump\client foundation\cfd.exe

Here is my Hijackthis Log file directly after I ran Spysweeper & AdAware SE today -

Logfile of HijackThis v1.97.7
Scan saved at 1:28:18 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\program files\support.com\bin\tgcmd.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Webroot\Desktop Firewall\WDFDataService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Webroot\Desktop Firewall\FirewallNTService.exe
C:\Program Files\Maxthon\Maxthon.exe
C:\JRHold\Maintenance\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [WebrootDesktopFirewall] C:\Program Files\Webroot\Desktop Firewall\webrootdesktopfirewall.exe -t
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {33331111-1111-1111-1111-611111193423} -
O16 - DPF: {33331111-1111-1111-1111-611111193429} -
O16 - DPF: {33331111-1111-1111-1111-615111193427} -
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D7F084A-F49F-411A-A3AA-F7D370CBDFF7}: NameServer = 68.94.156.1 68.94.157.1

Thanks for your assistance! :flowers:

Cheers,
Rick

BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 12 June 2006 - 04:36 PM

Download and Save blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
leave [X]scan through windows explorer checked,
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there... like "wbemtest.exe"
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).
Copy and paste this log along with the rootkit revealer log.

#3 Rick Sirocco

Rick Sirocco
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 June 2006 - 06:00 PM

Hi Grinler,
Thank you for your assistance! :thumbsup:

I d/l'd and ran Blacklight beta. I did not get an option for "Leave [x] scan through windows Explorer checked". When I opened Blacklight I got the option to 'Run', then the Agreement (agreed), then the Scan Window. I clicked 'Scan'. After completion I saw the following message -
"Scan Complete - No Hidden items found".

Here is the fsbl -

06/12/06 15:26:25 [Info]: BlackLight Engine 1.0.37 initialized
06/12/06 15:26:25 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/12/06 15:26:25 [Note]: 7019 4
06/12/06 15:26:25 [Note]: 7005 0
06/12/06 15:26:39 [Note]: 7006 0
06/12/06 15:26:39 [Note]: 7011 1804
06/12/06 15:26:39 [Note]: 7026 0
06/12/06 15:26:39 [Note]: 7026 0
06/12/06 15:26:42 [Note]: FSRAW library version 1.7.1015
06/12/06 15:29:35 [Note]: 7007 0

Also, I didn't mention in my original post that the location of the Haxdoor and Terula trojans were in the Registry as follows -

Trojan-Backdoor-Haxdoor

HKLM/software\microsoft\windows nt\currentversion\winlogon\notify\zopenssl

Trojan-Backdoor-Terula

HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{196b9cb5-4c83-46f7-9606-9672ecd9d99b}\

Again, really appreciate all your effort on this!

Cheers,
Rick

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 12 June 2006 - 07:19 PM

Download the attached .reg file and .bat file and save it to your desktop.

Reboot your computer into Safe Mode

Double-click on the fixhax.bat and then double-click on fixhax.reg and allow the data to be merged.

Reboot and tell me if the problem is gone.

Attached Files



#5 Rick Sirocco

Rick Sirocco
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:30 AM

Posted 12 June 2006 - 10:28 PM

Hi Grinler,
Followed your instructions and the 2 trojans are gone! :thumbsup:
Thank you for your assistance and support. If there is anything I can do to support this site, please let me know.

Cheers,
Jon

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,504 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 13 June 2006 - 11:49 AM

Best way to support the site is to let everyone you know about us :thumbsup:

Now that your clean:

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore

or

Windows XP System Restore Guide

Renable system restore with instructions from tutorial above


Next,

This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:

Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.

This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.

Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.

Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet


Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users