Need Help with Downloader Trojan

I have been running and building computers since they were first introduced and nothing has ever got me more infuriated than the Downloader Trojan so in desperation I have turned to you guys for help.

I cant find out how to remove it despite following all the suggestions on these pages and elsewhere. The thing self perpetuates and I cant see where from. Sometimes its the Vundo trojan, then last time the Trojan Panddos. Symtoms include painfully slow performance, NAV not working, frequent failure of my Avant Browser and windows error messages saying either win.exe or avp.exe have encountered a problem and need to close. Once these appear the system usual just shuts down. Safe mode seems to be ok at least. I'm running XP Pro SP2 version.

So far, Norton AV 2007 finds it (until I reboot at least) and then it reappears.
I have also run Ad-aware 2007, Spybot S&D, PC Bug Doctor, AVG Anti spyware, Root kit buster besides the usual disk clean up, Ccleaner etc. And yes I have followed the instructions about "read this first" and done that. I have disabled Messenger also. It was preceeded by and Infostealer.gampass problem which I did at least manage to finally beat.

I have run "Highjack This" and found a number of items to delete along with a few items of rogue code in the registry but I am at the limit of my expertise now so any help would be great.

Cheers in anticipation.

 

Hi gregowen!
Welcome to Major Geeks!

Please work through the instructions in the READ & RUN ME FIRST and attach the requested logs with your next post. From what you're telling, it sounds like it will be possible for us to create a fix specific to your computer and problems, but to do that we need to see the logs. When you work through this, please be sure to put your computer in normal startup mode using msconfig.
abri

 

Many thanks for the offer of help. I have attached the three files for your consideration and thoughts.

My pc is so sick it would not run the tests with MSconfig running in Normal Mode as it switches off before completion so it was running in diagnostic mode.

AVG found and quarantined the Downloader.delf.enm trojan located in the C:/System Volume Information folder (which I have not seen before).

This virus appeared last Saturday as I settled down to watch the Rugby on a Chinese P2P website on a player I downloaded called Uusee. I should have known better.

Many Thanks in Anticipation.

 

Hi greg,

We need to do things in several steps. Please begin as follows:


1) To begin with, please disable Spybot's TeaTimer. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Go to add/remove programs and uninstall the below:

ewido anti-malware <--- outdated and replace by AVG AS
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_07
Java(TM) 6 Update 3
Prevx1"<--- just installed. probably in an attempt to fix issues. It will get in your way.
Spybot - Search & Destroy 1.4 <--- old verions should be removed

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment


5) Download and install Erunt. Use it to create a backup of your registry.

6) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

7) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

8) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log. Also, please let me know if you got a success message on the registry patch (regedit4).


Let me know how things are running now?

abri

 

Abri

Many thanks for the prompt response. I am very grateful to you.

I followed your instructions. I did have a problem uninstalling Spybot S&D 1.4 because it said the installation was corrupt. The same happened with Ewido.

Everything else went well, the registry patch worked ok.

However, upon reboot, AVG did announce the quarantine of m1.exe after it discovered the downloader.delf.enm trojan after I carried out your instructions.

New logs are attached.

Once again, many thanks for your help

Greg

 

I think I forgot to attach the files. Here they are

Greg

 

Hi greg,
The avenger you posted is the program, not the log. Please look for a file called Avenger.txt. You should be able to attach that without zipping it.
Thanks.
abri

 

Apologies for my mistake.

New file is attached.

Greg

 

Hi greg,

We still have to get your computer into normal startup mode so we can get out the startup items that are a problem.

1) Please disable your guest account if this has not already been done.

2) What are the following files?

C:\Documents and Settings\Greg\My Documents\
7290e_~1.exe Feb 2 2008 34862984 "7290E_PBrER4.1.0_rel556_PL1.8.0.154_A4.1.0.377_AWS.exe"
7290e_~2.exe Feb 2 2008 21088144 "7290E_PBr4.0.0_rel274_PL1.8.0.129_A4.0.0.219-Cingular.exe

C:\Documents and Settings\Greg\Desktop\
quickb~1.tor Jan 26 2008 46326 "QuickBooks.Premier.2007 + Crack.torrent"
QUICKB~1.200 Jan 26 2008 "QuickBooks.Premier.2007 + Crack"

3) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,,C:\WINDOWS\system32\host.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Do the following belong to programs you know or want to keep? If not, please fix them as well.


O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} - http://mfr.mlxchange.com/Control/FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} - http://mfr.mlxchange.com/Control/Specfile.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://mfr.mlxchange.com/Control/SISC.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange.com/Control/MultiSelectComboBox.cab
O16 - DPF: {5EB6A98B-F75B-4AC7-821D-BAD2C29D18C2} - https://onlineservice4.progressivedirect.com/SelfService.Web/TalkToMe/cv/CVALAX.CAB
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} - http://mfr.mlxchange.com/Control/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - http://mfr.mlxchange.com/4.2.05.20/Control/IRCSharc.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} - http://mfr.mlxchange.com/Control/AspCustomCtrls.cab

After you click fix, just close hijackthis.


4) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

5) Run CCleaner at the default setting with the Windows tab as the one on top.


6) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Abri

I disabled the guest account (plus one other I was unaware of) so now there is just me as administrator and the guest is off.

I deleted all the files listed under item 2. They were software files for my blackberry.

I ran highjack this and clicked the items and then on "fix this" including all the O16 entries as I can easlily add them later.

I then ran The Avenger an copied the text as before and rebooted the machine.

On reboot, the MSconfig has selective startup and all services running (i think I did that earlier). One box was unchecked for AppleMobile Device Service.exe so I checked that and continued.

There are now repeated findings of the Trojan by AVG and an error message came up saying Internet Explorer needs to close even though it wasn't running. Win.exe error messages and avp.exe messages keep appearing.

Mg tools took ages to complete.

Greg

 

Hi Gregowen,

I think your getting the safemode startup menu may be something in your boot.ini file. We'll look at that next.

Please do the following first:


1) To begin with, please disable Spybot's TeaTimer as this can block any fixes we try to do. This can be done two ways.
First:

• Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
• If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
• If you have Version 1.4, Click on Exit Spybot S&D Resident

or Second, For Either Version :

• Open Spybot S&D
• Click Mode, choose Advanced Mode
• Go To the bottom of the Vertical Panel on the Left, Click Tools
• then, also in left panel, click Resident shows a red/white shield.
• If your firewall raises a question, say OK
• In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
• OK any prompts.
• Use File, Exit to terminate Spybot

2) Next, please tell me what's in the following folder? (don't open any files)

100OLYMP


3) If the following item is one that is familiar to you and a service you want, then skip this step 3:
Quote:
O23 - Service: Network Connections Management (RemoteStorage) - Unknown owner - C:\WINDOWS\system32\ma[1].exe (file missing)
If you do not know what it is, continue as follows to disable it:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Network Connections Management
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.

• Now Click OK until you get back to Windows.
• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste RemoteStorage into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

4) [FONT=&quot]Now scan with (this is analyse.exe in the MGTools folder under C) and check the boxes for the following entries[/FONT][FONT=&quot]:[/FONT]
[FONT=&quot]( Make sure ALL browser windows are closed when you click FIX )[/FONT]

O23 - Service: Network Connections Management (RemoteStorage) - Unknown owner - C:\WINDOWS\system32\ma[1].exe (file missing)

After you click fix, just close hijackthis.


5) Now rerun Avenger as you did in step 8 of post 4 only this time use the contents of this box:
Quote:
Files to delete:
C:\Start_.cmd
C:\WINDOWS\system32\wincom.exe
c:\win.exe
c:\avp.exe
C:\WINDOWS\system32\msapi32.dll
6) Run CCleaner in the default setting with the Windows tab as the one on top.

7) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Abri

So here's what happened.

1) Turned off Tea Timer ..OK

2) The folder is one of mine, contains pictures taken from my Olympus Digital Camera.

3) Went into service.msc and successfully disabled Network Connections Management.. OK. Also disabled another line of code that was part of the virus and had a bunch of symbol writing... OK

Ran HJT and deleted NT Service/ Remote Storage as advised .. OK

4) Ran analyze.exe .. OK file attached.

The O23 line to which you refer was not there. I think I already deleted it last night. - That was part of the trojan. esp the file ma[1].exe

5) Ran avenger... OK file attached.

6) Ran Ccleaner ..OK

7) Ran MGtools and the zip file is attached.

AVG Is still finding the malware and the win.exe and avp.exe Windows error messages still appear but less than they did.

 

Now I am unable to upload the MGlogs.zip file. Says I already did it.

 

OK, here it is.

 

Abri

In addition, I have attached a copy of the dialogue box for the extra service I disabled in services.msc just in case it helps you to find the bug.

Many Thanks

Greg

 

Hi greg,

That's a weird file in your screen shot for sure. I need to determine the best way to get rid of it as it seems to also be showing up in your msconfig services. While you're waiting, please do the following and attach the requested logs.

Teatimer is still showing as being active. Please disable it as per the instructions in the previous post and check to make sure it stays inactive, also after you reboot. Otherwise it may be necessary to uninstall Spybot until we've finished.

1) Please run Avenger again, but before you start, check the new file I added which comes from your Desktop called dss.exe and see if it's something you're familiar with and want. If so, remove it from the Avenger fix. Also, I'm not sure what the folder is under Folders to delete:, but it looks like something which needs to be deleted as well. Please check both of these before continuing.

• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

2) Now run CCleaner at the default setting with the Windows tab as the one on top.


3) And finally run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.

abri

 

Abri

Logs attached. Her is whats happening: -

1. Stopped Tea Timer in startup. OK

2. Ran Avenger - Log attached.

3. Ran CCleaner

4. Ran MG Tools - Log Attached.

I had manually removed the Hide IP file off the desktop as I had placed it there before running Avenger. DSS.exe was another spyware cleaner I had downloaded before and that has now gone too.

Even though win.exe and avp.exe were deleted, they are back again and AVG reports the following Malware on reboot: -

C:/Program Files / Common Files / M[1].exe
C:/Program Files / ver.txt

Other notable observations are that I am unable to re-install Norton Antivirus. I had taken this off some while ago to prevent it getting in the way of the clean up. I still have on the computer Ewido. It s not possible to uninstall as the installation files are corrupt. I can manually terminate the process though. I deleted one or two other files off my desktop that were not needed.

The files relating to the Apple Mobile Device are not mine and can go.

When I open MSConfig and start up in diagnostic mode, there are no problems.

On another note, the computer no longer switches off and starts and runs much faster - so for that I thank you again.

Greg

 

Hi gregowen,

Avenger was not able to delete the keygens folder on the desktop. Can you see it there? If so, please delete it.

Next run CCleaner at the default setting with the Windows tab as the one on top.

Then run Combofix again.

Your MGlogs.zip only includes one log (runkeys) and is missing all the rest. Please rerun the GetLogs.bat (in the MGTools folder) and make sure to allow it to run all the way to the end. You'll get a message like click on any key to close the window and produce the logs. The logs will be located directly under C.

Attach the Combofix and MGlogs.zip with your next post.

Does AVG report quarantining or deleting the files it's finding? Do they just come back again after that? Or can AVG not delete them?

The reason you're having trouble with uninstalling Norton's (which is behind the problems reinstalling it) is because it was uninstalled without msconfig being in normal startup mode. This leaves a lot of entries behind. You have quite a few symantec services still running. Before you can fix this, we have to get your msconfig back to where it needs to be.
Thanks.
abri

 

Hi Abri

1) The file to which you refer has been deleted previously by me (the keygens one) and I doubt was related.

2) The computer is running in Normal Start Up Mode in MSConfig and has been for some time.

3) I ran both CCleaner and Getlogs.bat and the two files are attached.

4) AVG Does report that the infected files are cleaned and quarantined but I have to delete them manually. Even so they still come back during the same session.

Greg

 

Abri

I think I found the little bleeder !!!

Check the Combofix.txt file and in particular the following three changes made on 02/02/2008 (exactly the time of the infection)

2008-02-02 14:05 . 2008-02-02 14:05 280 ---hs---- C:\WINDOWS\system32\xhqq.cfg
2008-02-02 14:05 . 2008-02-02 14:05 144 ---hs---- C:\WINDOWS\system32\niluw.cfg
2008-02-02 14:05 . 2008-02-02 14:05 144 ---hs---- C:\WINDOWS\system32\naixuhz.cfg

When I google these file names there are references to a trojan. When I searched for one of them on my PC the two locations appeared (I attached the screen shot so you can see). If that is so, should we not just delete them?

I hope this is it.

Greg

 

Here are the two other screen shots for the last comments.

Greg

 

Hi greg,

Yes, you can delete them, but use Avenger as you did in post 16, only this time use the contents of this box:

After running Avenger, please run CCleaner in the default setting with the Windows tab as the one on top.


I would like for you to rename the following file C:\WINDOWS\system32\drivers\pfvaqyvm.sys to pfvaqyvm.sys.zzz

Try rebooting your computer a few times and see if you notice problems with any of your programs. If not, you can also delete this.

Please attach the Avenger log with your next post.

Thanks.
abri

 

Abri

1) The avenger log failed to materialise but the new files have gone.

2) I found no trace anywhere of pvfaqyvm anywhere.

3) I did manage to remove norton finally using diagnostic set up in MSConfig

4) Found some more lines of junk code an the Registry and deleted them too.

5) I disabled all windows services and start up together with system.ini and win.ini (except for avg) and the win.exe and avp.exe still appeared as did wincom.exe even though I used avenger to delete them first.

6) Highjack this and Avenger latest logs attached

Any ideas?

Greg

 

I believe the following website explains the behaviour of the worm. Maybe this helps.

http://translate.google.com/transla...earch?q=Win32.Mnless.ef&hl=en&lr=lang_en&sa=X

Greg

 

Hi greg,
This looks like the wrong Avenger log. Did you try to delete those files I asked you to delete?
abri

 

Abri

I did but the avenger log came up as error.

This is a later one I ran after with my attempt to re-delete others just in case they came back.

Greg

 

Hi greg,
did you try the instructions you posted the link for?
Please run GetLogs.bat which can be found in the MGTools folder and then post the logs called MGlogs.zip which are located directly under C.
Thanks.
abri

 

Abri

I read the pages where the link goes and was under the impression it explain how the virus infects the computer and not how to rid it from the pc. Was I wrong?

I have attached the logs for you.

Thanks for your patience again.

greg

 

I tried to uninstall Ewido using Control panel add / remove programs and received a error message (see attcahed screen shot). The same error message appears when trying to remove a number of diferent programs and has done since infection.

I will avoid doing anything else until I receive further instructions.

Appreciate your help.

 

Hi

I followed the instructions and attached the files.

When I reached the point about Killing the win.exe process and avp.exe there were two instances of win.exe and none of avp.exe even thought the file is still there located at C:\avp.exe

It did not request a reboot after completion of HJT but did after running Combofix which I allowed it to do.

Getlogs.bat took ages to complete after re-start and running Ccleaner first and the pc shut down half way through. I rebooted and ran through the entire process again but this time the it did ask to reboot after HJT first run.

The logs attached are the original running of Combofix and the second successful running of Getlogs.bat

There are numerous reports by AVG of Malware still running. I will attached screen shots in my next post.

Greg

 

Here are the AVG malware findings flashing up on the screen.

 

I did uninstall LogMeIn and another remote control software (Netop) prior to running the fix.

There are numerous reports of Malware, each one I quarantine. AVG Has 44 at last count and I go in and delete them from quarantine too.

1) I did manage to kill the two processes using analyse prior to running the rest.

2) Combofix went as normal after I had to install the latest version as the old one had expired. On reboot the following messages came up. Internet explorer encountered a problem and needs to close, The warning message about the privacy icon, and a windows defender message about blocking or unblocking windows live messenger (i said to keep blocking for now).

3) Installed (or rather reinstalled Sunjava)

4) Deleted the temp folders.

5) Ran Ccleaner

6) Ran Getlogs .bat

Two things were odd. Half way through Getlogs.bat a message comes up saying the system needs to restart in order for the infection to clear and the other was a folder I have not seen before in C:\documents and settings \ local service\ANONYMOUS LOGONS DOCUMENTS

The contents of this file is a desktop.ini a copy of which is attached just in case.

There are the usual Malware reports by AVG on startup so I guess its still there.

Greg

 

Here are the other attachments

 

Here is one report from AVG and a snap of the current files in quarantine.

 

Here are the reports. I have tried the combofix log twice and both times it gives this abbreviated report. I have reinstalled combofix also without success however, it does perform normally and goes through the re-boot process and finishes after restart as it should.

 

Finally managed to get MGlogs to work properly (I hope)

 

MGlogs and results from GMER attached. I was not able to find a way to save the trend log but it found and fixed 31 virus files and 2 security holes and 87 files infected and fixed them all. It also suggested I run the s=test a second time which I did and it found no similar files.

Win.exe, winlog and avp.exe still reside on my C:/ drive but AVG is no longer having to quarantine any files AFTER reboot even though win.exe appears to start on its own it is having little effect.

I have a renewed sense of optimism now.

 

That all seemed to go as planned and the logs are attached.

AVG has no recorded infections BUT when I click Analysis and Tools there is still running avp.exe (1 instance) win.exe (4 instances and M1.exe (1 instance) even after avenger ran. There are no more pop-ups from AVG warning of malware.

 

I have no idea of the the Rpccwccamh.exe file but I suspect it came with the trojan.

The files you requested have been zipped and attached. I am just about to follow the proceedure you requested and will post the additional logs on completion.


[EDIT BY CHASLANG] **** WARNING NOTE **** TO ALL PEOPLE READING THIS. DO NOT DOWNLOAD THIS ATTACHED ZIP FILE. IT CONTAINS LIVE MALWARE THAT WE ARE EVALUATING.

 

Here are the first logs (prior to reconnecting to the internet)

The others will follow shortly.

 

Here is the second Mglogs file after connecting to the internet.