Trojan.Zlob.I and Download.Trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by MelanieS, Mar 23, 2006.

  1. MelanieS

    MelanieS Private E-2

    Hello and thanks if you can help me out!

    After being informed by Norton Internet Security that I had these two viruses(which it could not remove) I proceeded with all of the instructions in the sticky note before posting this. I had some success with some of the programs, but when I rebooted in normal mode, I was told again by NIS that there is a Trojan on the machine. I'm attaching my logs.

    THANKS!

    Melanie
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Majorgeeks Melanie!

    You have a few nasties hiding in the background. You need run a few more procedures before we can get started on manual cleaning.

    Also answer a question: Is your SpySweeper version the free trial or did you buy it? If free, when did you install it?

    Please run the below procedure and attach your smitfiles.txt log.

    SpyFalcon Removal Procedure


    Now run Windows Explorer and delete the below files. Let me know which one you find and do not find and whether you get them deleted or not:
    C:\Documents and Settings\Melanie\Favorites\GAMBLING <--- the GAMBLING folder
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[1].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
    C:\WINDOWS\SYSTEM32\dfrgsrv.exe
    C:\WINDOWS\SYSTEM32\f3PSSavr.scr
    C:\WINDOWS\SYSTEM32\ot.ico
    C:\WINDOWS\system32\1024\ldB490.tmp
    C:\WINDOWS\system32\1024\ld6548.tmp
    C:\WINDOWS\system32\1024\ld13FD.tmp
    C:\WINDOWS\system32\ginuerep.dll
    C:\WINDOWS\Temp\win3.tmp.exe <--- in fact delete all files in this Temp folder (which includes the below)
    C:\WINDOWS\Temp\win6.tmp.exe
    C:\WINDOWS\Temp\win149.tmp.exe
    C:\WINDOWS\Temp\win14C.tmp.exe
    C:\WINDOWS\Temp\win14F.tmp.exe


    The next file will require special steps from the command prompt to locate and delete it since Windows Explorer will not be able to see it.
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
    • Click Start, Run, and enter command in the box and click OK. This opens a command prompt windows.
    • Enter the following command lines each followed by the enter key
    cd C:\WINDOWS\Downloaded Program Files\
    attrib -r -h -s f3initialsetup1.0.0.15.inf
    del f3initialsetup1.0.0.15.inf
    exit <--- this will close the command prompt window


    After doing all of the above get a new PandaActiveScan log and attach it.
    Also attach the smitfiles.txt log and a new HJT log.


     
    Last edited: Mar 24, 2006
  3. MelanieS

    MelanieS Private E-2

    THANK YOU!!!

    While I was waiting for a response, I continued with the additional scans recommended in another document. I ran CC cleaner, ewido, a-squared and kaspersky in safe mode. I also downloaded Process Explorer and Killbox in prep but did not perform anything with them and will wait for instruction to do so.

    SpySweeper is a purchased version, on this laptop since I purchased it in September. It is set to perform a scan upon boot.

    BTW, I know the main infection occurred on March 21 as my son was home from school and downloaded some guitar tab software and who knows what else without my supervision…. Then the problems began.

    Also want to note that my internet connection is wireless. When I run in safe mode, the connection is not made, but when I run in Normal mode, the connection is detected and established automatically. Let me know if this is a problem.


    I ran the SpyFalcon fix as you stated.

    When I rebooted in Normal mode, Slimshield icon and annoying warning about viruses popped up briefly at the bottom right, but then disappeared and has not come back while working.

    These windows come up repeatedly as I work:

    Norton Antivirus does not support the Repair feature. Please uninstall and reinstall.

    Please wait while Windows configures Norton Antivirus.

    Norton Antivirus has detected a virus on your computer.
    Object Name C:\windows\system32\winccf32.dll
    Virus Name Download.Trojan
    Action Taken Unable to repair this file.
    Action Taken Access to the file was denied.

    Also an annoying popup window for Photo Shaman

    Files deleted as noted:
    C:\Documents and Settings\Melanie\Favorites\GAMBLING <--- the GAMBLING folder
    I did not find this file. I believe one of the programs I ran in the interim spotted it and removed it.

    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[1].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
    The Folder Content.IE5 is not there.

    C:\WINDOWS\SYSTEM32\dfrgsrv.exe
    I deleted it.

    C:\WINDOWS\SYSTEM32\f3PSSavr.scr
    Not found

    C:\WINDOWS\SYSTEM32\ot.ico
    Not Found

    C:\WINDOWS\system32\1024\ldB490.tmp
    C:\WINDOWS\system32\1024\ld6548.tmp
    C:\WINDOWS\system32\1024\ld13FD.tmp
    None of the three found

    C:\WINDOWS\system32\ginuerep.dll
    Not found

    C:\WINDOWS\Temp\win3.tmp.exe <--- in fact delete all files in this Temp folder (which includes the below)
    C:\WINDOWS\Temp\win6.tmp.exe
    C:\WINDOWS\Temp\win149.tmp.exe
    C:\WINDOWS\Temp\win14C.tmp.exe
    C:\WINDOWS\Temp\win14F.tmp.exe
    I deleted what I found, which was : T30DebugLog, win1.tmp, win3tmp.exe, win14.tmp.exe, win162.tmp

    Then I emptied the Recycle Bin

    Deleted as directed:
    C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf

    I ran PandaActiveScan, log attached. DARN IT! That Slimshield icon came up again and stayed now. GRRRRR
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes it is there. See your new Panda log. You must make sure you have enable viewing of hidden & system files per the READ & RUN ME. The files are there as Panda indicates.

    I will work up a procedure for you other issues tomorrow! Need to sleep now! Almost 4 am my time!

    Is Ewido also purchased? Or is it the free trial?

    Is the below something you installed:
    O3 - Toolbar: eSnips - {ED1184DA-E57E-4480-99D0-A16809037F54} - C:\Program Files\eSnips\SnipBar.dll
     
    Last edited: Mar 24, 2006
  5. MelanieS

    MelanieS Private E-2

    Hope you got some rest! I was up too late too with this. I really need to fix it as I am afraid to use the computer while it is infected... :(

    Ewido is the free version.
    Esnips is software we put on the computer which allows for remote archiving but I am totally fine with removing it.

    I am totally baffled by the IE5 folder. There are NO folders in the Temporary Internet Files Folder, and I checked that the settings were still as they should be per the READ THIS FIRST instructions. They are. I see the hidden folders and files as faded icons, but that folder is not there. BUT, I ran ActiveScan yet again and it is picking it up. ??????:mad:

    I'm attaching that newest ActiveScan.

    Also, when I booted this morning, the Slimshield did the same disappearing act, I'm getting the Trojan warnings from NIS, Windows Installer pops up when I try to open a word document... and several tmp files are attempting to access the internet and I choose not to allow it....

    Thanks
     
  6. MelanieS

    MelanieS Private E-2

    One more thing:

    SpySweeper (purchased version)

    Picks up the following:

    Trojan agent winlogonhook (13 traces) Risk rating Very High
    Trojan-downloader-aux (2 traces) Risk rating Very High

    It allows me to remove them, but obviously it's only a temporary removal.

    And, here's the attached Panda ActiveScan File.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Download and install this tool: ExplorerXP

    Use it to look for those files you said you cannot find. Can you find them now?

    Make sure all of the below are deleted. Some may come back because you still have more problems to fix.
    C:\WINDOWS\SYSTEM32\dfrgsrv.exe
    C:\WINDOWS\temp\win1B.tmp.exe
    C:\WINDOWS\temp\win2ED.tmp.exe
    C:\WINDOWS\temp\win412.tmp.exe
    C:\WINDOWS\temp\win42C.tmp.exe
    C:\WINDOWS\temp\win423.tmp.exe
    C:\WINDOWS\temp\winE.tmp.exe
    C:\WINDOWS\temp\win15F.tmp.exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\mullbin1[1].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\67GA0TV7\wdinit64[2].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\KG3MPVVA\wdinit64[1].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\JJEAXBLB\wdinit64[1].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\Y5MDM7OR\shpop[1].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\Y5MDM7OR\wdinit64[2].exe
    C:\Documents and Settings\Melanie\Local Settings\Temporary Internet Files\Content.IE5\Y5MDM7OR\wdinit64[1].exe





    After trying to use ExplorerXP (whether it works or not) please attach a new HijackThis log so we can work on the rest of your problems.
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Here are the next steps! Note there may be some files in the list below that you have already removed. That's okay! It does not hurt us to double check.

    Start by downloading two tools we will need (I believe you said you downloaded them already)

    - Process Explorer

    - Pocket KillBox

    Extract them to their own folder somewhere that you will be able to locate them later.

    IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

    Do the above before continuing! Okay unplug your cable now.

    Make sure you have rebooted in Normal Mode (do not open any other processes)

    - Run Process Explorer

    In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

    Once you see this screen click on each instance of winccf32.dll once and then click the kill button. After you have killed all of the winccf32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

    Next double click on explorer.exe and again click once on each instance of winccf32.dll and kill it.


    Now just exit Process Explorer.

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
    O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll


    Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
    Be sure the "Save as" type is set to "all files"
    Once you have saved it double click it and allow it to merge with the registry.

    Now run Pocket Killbox:
    Choose Tools > Delete Temp Files and click OK.

    Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
    C:\WINDOWS\SYSTEM32\dfrgsrv.exe
    C:\WINDOWS\temp\win1B.tmp.exe
    C:\WINDOWS\temp\win2ED.tmp.exe
    C:\WINDOWS\temp\win412.tmp.exe
    C:\WINDOWS\temp\win42C.tmp.exe
    C:\WINDOWS\temp\win423.tmp.exe
    C:\WINDOWS\temp\winE.tmp.exe
    C:\WINDOWS\temp\win15F.tmp.exe
    C:\WINDOWS\SYSTEM32\winccf32.dll

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

    After reboot locate let's double check with Windows Explorer for the below and delete them if they still exist:
    C:\WINDOWS\SYSTEM32\dfrgsrv.exe
    C:\WINDOWS\temp\win1B.tmp.exe
    C:\WINDOWS\temp\win2ED.tmp.exe
    C:\WINDOWS\temp\win412.tmp.exe
    C:\WINDOWS\temp\win42C.tmp.exe
    C:\WINDOWS\temp\win423.tmp.exe
    C:\WINDOWS\temp\winE.tmp.exe
    C:\WINDOWS\temp\win15F.tmp.exe


    Now attach a new HJT log and tell me how the steps went.
    Make sure you tell me how things are working now!
     
  9. MelanieS

    MelanieS Private E-2

    I'm going to begin this process. I can see the files with ExplorerXP! Do I delete them, or delete them permanently? Both options are offered.

    Thanks
     
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Since we do not want those files at all, delete them permanently to avoid having them go to the Recycle Bin. We would just have to empty the Recycle Bin afterwards but why bother.
     
  11. MelanieS

    MelanieS Private E-2

    Whew. I did as instructed. A few times during the process NIS told me I had the Download.Trojan virus again, but not since I rebooted and it looks like the Slimshield is gone.

    Here's the HJ log
     

    Attached Files:

  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay just one left over to fix. Have HJT fix the below line and make sure it does not come back:

    O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)


    If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

    After that, you should work thru the below link:

    How to Protect yourself from malware!
     
  13. MelanieS

    MelanieS Private E-2

    I did as instructed. Looks good.

    One last problem.

    When I try to open an MSWord doc, a window pops up from Windows Installer "Preparing to Install"

    Then Norton Antivirus window comes up, stating "Please whait while Windows configures Norton AntiVirus 2005."

    Norton AntiVirus 2005 window comes up "Norton AntiVirus 2005 does not support the repair feature, please uninstall and reinstall."

    Then MS Office window appears "THe command cannot be performed because a dialog box is open. Click it, and then close dialog boxes to continue."

    When I close all of these windows, MSWord opens and all is well.

    When I run NAV, it detects nothing.

    SpySweeper is still finding a winlogonhook trojan.
     
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure what to tell you about Windows trying to configure Norton. Perhaps it got corrupted from the malware. You may need to do what they say. Uninstall, reboot, reinstall. And I'm not sure why MS Office is getting involved in this.

    Try running the below tool. It sometime fixes corrupted Windows Installer issues.

    Windows Installer CleanUp Utility

    We will have to run Spy Sweeper in a special mode to remove the winlogonhook problem.

    Okay here is what I want you to do. Print or save these steps to a notepad file locally to refer to if necessary because ALL browsers (including this one) must be closed when you do the following.
    • Run Spy Sweeper but do not start a scan yet.
    • Close ALL browser sessions and exit any other programs that are running except SpySweeper (and notepad if you needed it).
    • Open Task Manager by pressing CTRL-SHIFT-ESC.
    • In Task Manager's Process list, locate explorer.exe. Right click on it and select Kill process tree. Do not be alarmed! This will make your Desktop with icons disappear. It is only temporary.
    • Now run a full scan with Spy Sweeper and save a new log.
    • Now in Task Manager click File, New Task (Run...) and enter explorer.exe and click OK. Your Desktop should come back
    • Now attach the new Spy Sweeper log here.
    • Now reboot and run a new Spy Sweeper scan and tell me if it still finds the problem (yes that is two scans with SpySweeper, one to hopefully fix, and one to make sure it fixed).
    • If it does still find a problem, continue with the below Ewido scan and attach the Ewido log: Running Ewido Anti-Malware
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds