Help Trojan Downloader & Spyware

We will be doing a forced power down which will be a reboot while doing the below so this will take care of the auto updates required reboot.


I'm going to have you run a procedure below which will attempt to delete the infected winlogon.exe file and replace it with a good copy from your ServicePackFiles folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached DukeFix.zip file to your Desktop.
• Now double click on DukeFix.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. DukeFix.bat and process.exe.
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the DukeFix.bat file to run the fix.
• It will create a log file named: c:\FixWL.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!! Then continue!
• Power down your PC now by holding in the power button. Wait about 15 seconds and then power back up.
• Come back here and attach the c:\FixWL.txt file
• After attach the C:\FixWL.txt file here, continue on with the below instructions.

Download The Avenger http://swandog46.geekstogo.com/avenger.zip by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now rerun the FixAWF program one more time to get a new log.

Now come back here and attach all of the below additional logs:

• C:\avenger.txt
• C:\AWF.txt
• ShowNew
• HJT

 

Sorry about that! It's there now!

By the way, download the current version of ShowNew just updated today and use it to get the new log requested and use it from now on!

 

Yes if you look back at the procedure I gave you using Avenger, you will notice that l.dll is one of the files in the list.

First download another new version of ShowNew which was just updated tonight! Use it later when requested.


What is in the below U3 folder:

Code:

"C:\Documents and Settings\Owner\Application Data\"
U3            Apr  6 2007              "U3"

Uninstall the below since we are finished with them now:
HaxFix 4.39
Kaspersky Online Scanner

Let's cleanup some clutter we are leaving around! It will help to make it easier as I review your logs too. Delete all the below files using Windows Explorer.

Code:

"C:\"
avenger.txt   Apr  8 2007        6706  "avenger.txt"
awf.txt       Apr  7 2007        1603  "awf.txt"
fixwl.txt     Apr  8 2007        3761  "FixWL.txt"
haxfix.txt    Apr  4 2007         432  "haxfix.txt"
haxlog.txt    Apr  3 2007         753  "haxlog.txt"
kavscan.txt   Apr  6 2007       12386  "kavscan.txt"
ndisfile.txt  Apr  6 2007         816  "ndisfile.txt"
rapport.txt   Mar 30 2007        2028  "rapport.txt"
serv.txt      Apr  3 2007           8  "serv.txt"
srenglog.log  Apr  6 2007       21581  "SREngLOG.log"
temp.htm      Mar 27 2007         339  "temp.htm"
vbg.txt       Apr  6 2007        1067  "VBG.TXT"
wlfiles.txt   Apr  6 2007         970  "wlfiles.txt"

We still are having a problem getting the ws2_32.dll file infection removed. The last DukeFix.bat procedure should have replaced it with a good copy. But I still see the bad one. This means one of two things:

1. the fix totally failed or was blocked
2. the fix succeeded but the malware still has other components around and immediately restored the bad file.

Print the below instructions of save locally! You will have to be disconnected from the internet while running.

Let's try one more time a different way.

• Download the attached FixWS2.zip file and extract the contents (FixWS2.bat) to the root of drive C so that you have C:\FixWS2.bat
• DO NOT run it yet.
• Then disconnect your cable to the internet
• reboot your PC into safe mode
• run C:\FixWS2.bat by double clicking on it.
• while in still in safe mode run ShowNew and get a new log. Rename it safefiles.txt
• now reboot your PC and get a another log from ShowNew (you can just leave the name as newfiles.txt ).
• also get a new HJT log
• Now attach the below logs:
  • safefiles.txt
  • newfiles.txt
  • HJT

 

We seem to be almost there!! There is just one file that is still troubling me and I'm trying to get it replaced with an older copy. I'm not sure why it is not working on your system. I experimented on my PC and I can easily overwrite the file with a different copy. The file is C:\WINNT\system32\ws2_32.dll which is dated 03/28/2007. I'm trying to replace it with a copy of an older file date from the below:

C:\WINNT\ServicePackFiles\i386\ws2_32.dll

which is the same size but dated 08/04/2004. Do you know how to open two Windows Explorer sessions and drag & drop (that is copy) from one window to the other? If you do know what I mean, open the two windows and try to copy

C:\WINNT\ServicePackFiles\i386\ws2_32.dll

to

C:\WINNT\system32

watch the C:\WINNT\system32 for a moment to see the file copied in and observe whether the copy actually works and then also to make sure that the copy is not overwritten again with the 3/28/2007 version after a few seconds. You may need to scroll down to the bottom of the window since as files are copied in they sometimes show at the end of the existing file list until you resort the folder.


You haven't been seeing any more O10 lines in your HJT log have you?

We are going to have to get an antivirus and firewall reinstalled soon to avoid risk of reinfection.

 

No!!! It looks like you were successful. The renaming and then copying seems to have worked. I don't see the 3/238/07 copy anymore. However we do need to delete the old backup of the bad ndis.sys file. Delete the below:

C:\WINNT\system32\drivers\ndis.sys.bad

No problem! It's great that you are as tenacious as me and have not given up.

Looks to me like we may be finished with the removal!

Is eveything working OK? I'm going to assume it is and give you final steps to do. Make sure when you get to the How to protect yourself link that you get an antivirus and a firewall installed ASAP!!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!