I have a trojan.

I have a trojan on a computer running XP SP
I became aware of it when I had a window popup, I don't remember all of it but it said that I had worm.w32.netsky and offered to help. I soon also found that when I pressed ctrl-alt-del that I had a box popup that said the administrator had disabled the task manager, however I was able to run it from another account and I was able to run it from the account it was disabled in after I added a registry key that I found with google.

I use firefox as my browser 99% of the time but from that task manager I could see that iexplorer.exe was running and would eventually start again after I killed it. I also notice some strange processes at different times some of these are gd1k91zl.exe xBoWFZj3.exe MVk9dP6R.exe

I when through the process on this site. Acutally I did it atleast twice because I wasn't sure I did it right the first time.

I am posting this from another computer so that I don't have to put the infected one online. I have the logs attatched.

I hope someone can help.
Rick

 

Hi TrickyRick,
Welcome to Major Geeks!

Your logs aren't attached. If you think you went through the process of attaching them correctly, please check a few things. Be sure after the files are uploaded to submit them. Be sure when you log on to Major Geeks that you check the Remember Me box. If you get an error when trying to upload the files, you may need to clear your browser cache or switch to another browser.

abri

 

Sorry I think I clicked post before I uploaded. I'm not used to running Firefox in OpenBSD.

Here is another try.

 

Hi Tricky Rick,
I'm looking at your other logs, but your Combofix log is not correct. Please go back to the Windows XP Cleaning Procedure and reinstall Combofix according to the instructions and run it again. In the instructions it will tell you where it needs to be installed and how to find the log. If you already did all this correctly, it will produce the same result, but I would like for you to try this first, before we do something more complicated.
Thanks.
abri

 

Hi Tricky Rick,

After you complete the instructions in Post 4, please continue with the following:
1) Please disable your guest account if this hasn't already been done.

2) Go to add/remove programs and uninstall the below:

Viewpoint Media Player
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

After you click fix, just close hijackthis.

7a) Before you continue with the next step, please open Windows Explorer and look for the group of .tmp files in the box below (step 7b). When you find them, right-click on one of them and select properties. Do not left-click on any of them. See if you can tell from the information in the properties window what program they might belong to. If they are a program you know and installed, skip step 7b and just go ahead with steps 8 and 9.


7b) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

8) And now run CCleaner at the default setting with the Windows tab as the one on top.


9) Finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Ok I put it back on line and reinstalled Combofix.exe and here is the log.
When I did that some "flow TV" hiphop loop started playing until I killed iexplorer.exe It starts by itself.

I try the steps in the last post and see what happens.
By the way I probably won't wait for you to reply but, You had a registry key quoted that starts qttask.exe but didn't say if I was supposed to do something about it.

Anyway I'll follow the last steps given and let you know.

 

Ok I reread that and now I understand

 

I think I'm all good.

When I right-clicked on temp1013986640.exe my antivirus deleted all but one of them.

Now Everything seems ok.

I'll do the system restore toggle

 

I think I jumped the gun a bit.
I saw iexplorer run soon after I booted, unless that is windows update running it.

 

It is so bizarre that you have to actually point the antivirus at a bad file sometimes before they see it.

Please run Avenger again as you did in post 5, step 7b, only this time use the contents of this box:

Attach the log which should be called Avenger.txt to your next post. Also, please run GetLogs.bat which can be found in the MGTools folder under C:\ by double-clicking on the file. Allow it to run all the way to completion. Then attach the logs which can be found directly under C: and which are called MGlogs.zip with your next post as well.

abri

 

I failed to copy the Files to Delete part at first as you will see in the log.

I installed Comodo firewall and did a malware scan from there and it list three things plus mIRC. I didn't delete mIRC.

I probably should have waited. This computer is at my dad's house and I will have to go home in about 3 hours.

 

Hi TrickyRick,

Please uninstall Comodo, as there is already a Symantec remnant probably from an earlier installation of Nortons and the computer is also running the CAV antivirus program. Having more than one can only lead to trouble. I will deal with the Symantec entry in a bit, but you need to uninstall either the Comodo or the CAV and the CAV I believe is provided as part of AOL and may be the antivirus program that your father wants.

Try and attach the requested MGlogs.zip. The instructions for this are at the end of my last post.

Thanks.
abri

 

Well at first I only had Comodo Firewall then I had Comodo Antivirus and I had disabled the CAV that was from Att -yahoo but I then uninstalled the CAV. but now I wish I had not. I uninstalled Comodo Firewall and Antivirus, and tried to reinstall the att - yahoo protection but it's not on the CD and when I go online and try to get they aren't using the one from Computer Associates, but Norton, and it says I have to have 512 M of ram but this does quite have 512 ram because part of it used by the on board video.

So now I have no Antivirus.

The Symantec remnant is probably from what came with the computer, but it only had free updates for 6 months.

Actually as far as this being my dads computer.
My mother bought it about 4 years ago and died less than a year after she bought it and my dad hasn't learned to use it and lets me use it, and if he needs something typed or other computer stuff done I do it. When the dialup rates was going up he got on DSL. So I could use it for ebay and etc.

We have never used AOL except AIM but. I have been reluctant to uninstall it because the restore CD is all or nothing.

I haven't yet told my dad that I have a virus or trojan.

 

Hi TrickyRick,

1) Go to How to Protect Yourself from Malware and find the antivirus programs and choose one and install it. Computers without any antivirus are in danger.

2) Then disable your guest account if this hasn't been done already. It leaves an entryway for malware that's unnecessary.

3) Please run CCleaner in the default setting with the Windows tab as the one on top.

4) Then run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - SOFTWARE - (no file)

After you click fix, just close hijackthis.


5) If you're still having the problem that you described, I would like for you to continue as follows:

Go to Using BitDefender Online Scan and run this online scan as per the instructions. This scan can only be run with Internet Explorer and with the active X enabled. It will not work with Firefox or Opera. There are two things that matter. Be sure that you have BitDefender fix whatever it finds. I believe this is the default setting. And in the link I just gave you, there are very specific instructions for getting a log. Please read them carefully so that you can attach a log to us afterwards that we are able to use.

Thanks.
abri

 

I have Comdo Antivirus runnng now.

I not sure if I am still having problems, but when I try to do a bit defender scan after changing my security to medium, I get "This web site is not authorized to host this activeX control", and I haven't found a solution.

 

Hi TrickyRick,

Try this:

Please open Internet Explorer and go to tools and internet options. Select the Security tab and at the bottom of that window look for Custom Level and click on it. In the window that opens up, scroll down until you get to the Active X settings. Please set all of them to enable except for the ones which are called Download Active X which are unsigned and the one called Initialize and script Active X controls not marked as safe. These two should remain disabled. The rest that have to do with Active X should be marked as enabled. After the BitDefender scan runs, you can put them back to the Default Levels.

Let me know if this works or not.

abri

 

I still can't get bitdefender to work. I tried setting the ones you said to disable set to prompt and and when to tools/addons and the activex from bit defender is enabled.

Earlier Comodo Antovirus found Trojan-Clicker.Win32.Pahador.F in
C:\program files\2wire\sst\closeall.exe and Quarantined it.


I just finshed an online can on TrendMicro and it says I have TROJ_DROPPER.EUO

C:\WINDOWS\Installer\{99c2743c-902a-4c73-bd56-46f212746221}\VolumeBoot.dll
C:\WINDOWS\Installer\{d3232e66-c5a1-4e33-b82e-f0aa995fbc6d}\zip.dll


Do you know anything about Microsoft Autoruns?

 

Hi Rick,

Are the following settings that you put in yourself?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001


And now please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - SOFTWARE - (no file)
O20 - AppInit_DLLs:

This may be what Comodo found. If it is still in HijackThis, go ahead and fix it as well. I expect you won't find it.

O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe

Does the following belong to either your ISP or your computer manufacturer? If not, please fix it as well.

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

After you click fix, just close hijackthis.

Please run CCleaner in the default setting with the Windows tab as the one on top.
When you finish the above, please go to the MGTools folder under C and find the file called analyse.exe. This is HijackThis. Please doubleclick on it to run it and allow it to produce a log. Attach the log with your next post.

abri

 

The firewall settings you ask about I'm not sure about. I don't have computer associates antivirus on here anymore.

The webworks.exe I'm not sure about but I checked fix it.
the http://www.emachines.com is the computer manufacturer's website but that should be of no consequece one way or the other, so I fixed it.

I never did get Bitdefender online to work.

I'm leaving for the night.

 

Would those firewall settings be for windows firewall, because I have disabled it?
I am using Comodo Firewall.

 

Hi TrickyRick,

Here are some further instructions for you. We may have to run one more registry patch.

1) Now run Avenger again as follows:

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the Execute button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

2) Go to add/remove programs and uninstall the below:

- LiveUpdate 2.5 (Symantec Corporation)

3) Run the Norton Removal Tool (SymNRT)

4) Reboot after uninstalling the above.

5) Install the current version of Sun Java from: Sun Java Runtime Environment

6) Next we may need to remove a service if the Norton Removal Tool did not already remove it. Please follow the below… (if the service is not there, just continue on with the next step)

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to SymWMI Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Now Click OK until you get back to Windows.
• Next, go to the MGTools folder in the root drive (usually C) and find the file called analyse.exe. (This is HijackThis which has been renamed). Double-click on it to run it, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste SymWSC into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

7) Now scan with HijackThis (called analyse.exe in the MGTools folder) and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX ) If you don't find the below, just continue. Some of these entries may already be gone.

O4 - Global Startup: Event Reminder.lnk = ?
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_02) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O21 - SSODL: VolumeBoot - {99c2743c-902a-4c73-bd56-46f212746221} - C:\WINDOWS\Installer\{99c2743c-902a-4c73-bd56-46f212746221}\VolumeBoot.dll
O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

After you click fix, just close hijackthis.



8) Now run CCleaner

9) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Things seem to be running good. I rebooted after all that you said to do, and I don't see iexporer.exe running.

 

Hi Rick,

1) Please disable your guest account if this hasn't been done.

There's one registry value which was not removed by HijackThis, so I will have you remove it with a registry patch. Other than that, everything looks good.

2) Download and install Erunt. Use it to create a backup of your registry.

3) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

4) When you've finished the above, please go ahead with the final cleanup instructions in the box:

abri

 

I managed to delete the VolumeBoot.dll entry in the registry yesterday, and I deleted the VolumeBoot.dll with KillBox

See the attached log.

I hope everything is clean, but I'm not sure.

Thanks for your help. I'm going to watch things for a few days.

 

oops I failed to upload the attachment. Well here it is.

 

Hi Tricky Rick,
That looks good. Let me know how things are working after a few days.
abri