Trojan-Downloader.Win32.Small.ivp and Trojan-PWS.tanspy

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jaimej78, May 26, 2008.

  1. jaimej78

    jaimej78 Private E-2

    Hello, this is my first time posting here. Defender Pro 15-in-1 2008 recently identified Trojan-Downloader.Win32.Small.ivp in my System Volume Information folder, specifically C:\System Volume Information\_restore{46de8921-1d39-44d2-a9e9-64119261f211}\RP229\a0162938.exe. The program said it couldn't disinfect the file, and, not knowing what to do, I deleted the file. Then I noticed that during a complete system scan, Defender Pro would scan up until it reached the file C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP245\snapshot\Repository\FS\OBJECTS.MAP, and then "hang up" -- the magnifying glass icon would continue turning, and the timer would continue ticking, but no further files would be scanned. The program runs a Critical Areas system scan to completion. To see if the issue was caused by my having deleted the file, I restored the file, and ran another scan, but the same thing happened.

    I then installed Spyware Doctor and the trial versions of XoftSpySe and Trojan Remover, but none of those programs identified the infection. After reading the "Read and Run Me First" thread, I downloaded and ran most of the recommended programs, but I'm having trouble uninstalling Defender Pro in order to install SuperAntiSpyware. Defender Pro keeps telling me I don't have permission to uninstall it. This morning, Spyware Doctor notified me that I've been infected with Trojan-PWS.tanspy, and now my browser is getting redirected to poker websites. I've already run CCleaner, Spyware Doctor, Spybot Search and Destroy, and Malwarebytes' Antimalware. Defender Pro has started "hanging up" at different points only minutes into the scan.

    I read that I might have to log in as an administrator and disable System Restore, and do another virus scan. Since my computer is second-hand, I'll have to call my mother's friend, whom I bought it from, and hope she remembers the password. If anyone can help with this problem, I'd greatly appreciate it. Defender Pro seems to be notoriously difficult to uninstall. I wish I'd read up on it before buying!
     
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Just Disable System Restore, reboot and then Re-enable.

    Uninstall all of these now.

    You do not need to uninstall Defender Pro to install SUPERAntiSpyware.

    Please attach all of the requested logs from the READ & RUN ME.
     
  3. jaimej78

    jaimej78 Private E-2

    Here are my logs (first three). Spybot Search and Destroy also detected Cimuz, Drive Cleaner 2006, Smitfraud-C.Ebay, and some sort of fake Telecom bill. I removed them for the second time, but they're in the registry and reappear every time Windows reboots.
     

    Attached Files:

  4. jaimej78

    jaimej78 Private E-2

    Here is the fourth log.
     

    Attached Files:

  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below software:
    My Way Search Assistant <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: mstcpmcu.exe

    After clicking Fix, exit HJT.


    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  6. jaimej78

    jaimej78 Private E-2

    When I try to uninstall this, I get an error message that says: "Error loading C:\PROGRA~1\MyWaySA\SrchAsDe\1.bin\desrcas.dll The specified module could not be found."

    Here are the logs.
     

    Attached Files:

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Does Defender Pro Internet Security have its own firewall built-in?


    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now double click the fixME.reg patch that should still be on your Desktop from last time and allow it to be added to the registry.

    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it.


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip

    Make sure you tell me how things are working now. You forgot to tell me last time!
     
  8. jaimej78

    jaimej78 Private E-2

    Yes, it does, but most of Defender Pro's features aren't working. Every time I log on, I get a pop-up box telling me that DP's firewall, anti-spam, and anti-virus features have either failed, or are partially running. Other than that, the computer seems to be running okay, but a little slowly.
     
    Last edited: Jun 28, 2008
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Then why do you have McAfee's firewall installed. Read the starting paragraphs of the READ & RUN ME again. You need to uninstall McAfee. Perhaps you got it from your ISP's software (like BellSouth Internet Security) You cannot install multiple security suites like this. It will totally mess up your PC and each application which is more than likely the reason for your problems. I suggest that you uninstall all of these applications and then reboot. After reboot run the below to make sure that McAfee is gone:

    McAfee Consumer Product Removal Tool

    Then reboot one more time. Then DO NOT reinstall any of these yet. First do the below.


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Now attach the new C:\MGlogs.zip file that was just created.

    Now decide which security application you want to use and tell me which it will be. I don't particularly think Defender Pro is a good choice. Way too many horror stories about it. I'm not sure if newer versions have really improved or if their support has gotten better but it would not be high on my list.
     
  10. jaimej78

    jaimej78 Private E-2

    The McAfee firewall was installed when I got the computer. I tried to uninstall it when I uninstalled the McAfee anti-virus program, but I did something wrong, because I kept getting a message saying that the firewall couldn't be uninstalled because the necessary component couldn't be found. I needed an anti-virus program, though, so that's when I installed Defender Pro.

    Sorry for the long delay. The computer crashed about three weeks ago, and I couldn't even start it in Safe Mode. I got a blue screen with a stop error that was something like "00000024." The message advised uninstalling any anti-virus and anti-software, but I couldn't reach the Desktop to do that. I called Dell, and the tech support man told me the computer had a corrupt file system, and the diagnostic test showed that the hard drive wasn't damaged, but it would've cost $129 for him to walk me through the steps to fix it, so I just bought another computer (I wanted one with a DVD burner, anyway). The old one gave me problems almost every time I installed a program. This one has McAfee Security Center installed on it, and I'm going to install all the recommended programs under Read and Run Me.
     
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! The READ & RUN ME is for fixing malware problems. What you need to do is the below:

    How to Protect yourself from malware!
     
  12. jaimej78

    jaimej78 Private E-2

    I've been following that advice. I'm currently using Windows Defender as a real-time anti-spyware scanner. Is it adequate, or should I replace it with one of the pay options?
     
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Already stated in How to Protect yourself from malware! that Windows Defender for Windows XP is not good.

    Are you ever going to finish the instructions from message # 7?
     
  14. jaimej78

    jaimej78 Private E-2

    I'm using the Vista version.

    I'm sorry, I can't access anything on that computer.
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No! You are running it on Windows XP. The Vista version is embedded into Vista and works differently.


    Oh that's right! You said it crashed. So what are these recent questions related to? A new PC that has Vista on it??? If so, disreguard what I said about Win XP. This is why we tell that questions for different PCs belong in different threads. ;)
     
  16. jaimej78

    jaimej78 Private E-2

    Sorry about that. Yes, this new computer is running Vista. I should've paid closer attention to the FAQ.
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    No problem. :)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds