Trojan Downloader Infections

Discussion in 'Malware Help (A Specialist Will Reply)' started by tooocinful, Oct 26, 2008.

  1. tooocinful

    tooocinful Private E-2

    I did all the Read & Run Me instructions and am still having issues with a couple of viruses I have been able to identify & probably others I haven't. I think I got them when downloading some free Codecs several months ago. I have tried everything I have come across online to no avail - HELP!!!

    I have identified: Trojan.Downloader.Win32.Murlo.nn and abb.633f94d3.info

    The 2 files that keep coming back no matter what I have done are:
    wmsetup.dll and abb[1].gif both of which are always found in various temp folders either in WINNT or in Documents & Settings folders by the beta version of ZoneAlarms Internet Security Suite 2009.

    I am attaching logs as instructed in Read & Run Me.

    I am hoping you can help me rid my system of this thing once and for all.
     

    Attached Files:

    tooocinful, Oct 26, 2008
    #1
  2. tooocinful

    tooocinful Private E-2

    Here's the last log.
     

    Attached Files:

    tooocinful, Oct 26, 2008
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Do you know what the below files (fsaua.data is a folder) are for?
    Code:
    2008-10-12 20:12 . 2008-10-26 05:55  795  --a---  C:\rollback.ini
2008-08-28                                d-----  C:\fsaua.data
2008-10-13                                --a---  C:\lkekn.txt
2008-10-12 20:00 . 2008-10-12 20:00  200  --ahs-  C:\WINNT\system32\D251FE2F.cfg
2008-10-12 20:00 . 2008-10-12 20:00  196  --ahs-  C:\WINNT\system32\4F34C688.cfg
2008-08-13 00:48 30 ----a-w C:\MicroSoft.bat
2008-07-06 02:15 0 ----a-w C:\Program Files\temp01
    Uninstall the below software:
    Viewpoint Media Player <-- should have been uninstalled in step 1 of the READ ME

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\Software\..\Telephony: DomainName =
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS6\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS7\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS8\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS9\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS10\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS11\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS12\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS13\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS14\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS15\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS16\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS17\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS18\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS19\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS20\Services\Tcpip\Parameters: Domain =
    O17 - HKLM\System\CS21\Services\Tcpip\Parameters: Domain =
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

    After clicking Fix, exit HJT.

    Now we need to use ComboFix to remove a bunch of malware files.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now run Ccleaner!

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 28, 2008
    #3
  4. tooocinful

    tooocinful Private E-2

    Thanks for the welcome! First, I want to thank you for your help!!! I won't have a chance to get through the steps all in one sitting , so it will take me a few days to get back to you with all the results. However, I looked into the files you asked about and here's what I found (hopefully it will help):

    1. C:\rollback.ini - used by ZoneAlarm for the antivirus scanner. The rollback.ini is for rolling back the antivirus definitions in the event of a very corrupt definitions database.

    2. C:\fsaus.data (folder) – online search indicates it may be a folder created by F-Secure online scanner which I did use, in which case I wouldn’t still need it

    3. C:\lkekn.txt contains the following, which I believe to be left from a virus scanner – not sure which one, as I have used about a dozen+ of them trying to get rid of this stuff

    Files to delete:
    C:\Documents and Settings\Cindy Paliotto\Local Settings\temp\wmsetup.dll
    C:\Documents and Settings\Cindy Paliotto\Local Settings\Temporary Internet Files\Content.IE5\ANC1OLYL\abb[1].gif
    C:\Documents and Settings\NetworkService\Local Settings\temp\wmsetup.dll
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SD2BC9Q7\abb[1].gif
    C:\WINNT\temp\wmsetup.dll
    C:\WINNT\system32\System.exe
    C:\WINNT\system32\HBmhly.dll

    4. C:\WINNT\system32\ D251FE2F.cfg – no idea what this is & online search gave zero results

    5. C:\WINNT\system32\4f34c688.cfg - online search produced a few hits in relation to viruses, but most not in English, so hard to tell what it really is

    6. C:\MicroSoft.bat - this is what is in the bat file:
    cmd.exe /c C:\MicroSoft.pif - not sure what it is, but MicroSoft.pif appears to be malware from online search results

    7. C:\Program Files\temp01 – 0 bytes, not sure what it is.

    Let me know if any of this helps. Thanks again!!!
     
    tooocinful, Oct 28, 2008
    #4
  5. tooocinful

    tooocinful Private E-2

    Well, I was able to get through it tonight. Here are the logs. I haven't really used the computer much to be able to tell how it's working now, but ZoneAlarms popped up in the middle of ComboFix having detected wmsetup.dll (trojan.downloader.win32.murlo) so it appears that it is still there, or at least was at that point. Should I shut down my antivirus while I do all this? You didn't mention anything about it, so I wasn't sure and just left it running.

    Thanks!
     

    Attached Files:

    Last edited: Oct 28, 2008
    tooocinful, Oct 28, 2008
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Apparently you have been working on another forum to remove malware. This is from using Avenger. Why didn't you finish working whereever you started?


    We have to be careful that your ZoneAlarm Security Suite is not getting in the way of the malware cleanup using ComboFix. If it continues to popup while using ComboFix, you will have to uninstall ZoneAlarm.


    Now we need to use ComboFix.
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    Now copy the below file:
    C:\WINNT\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\actxprxy.dll

    into the below folder:
    C:\WINNT\system32\


    Now run Ccleaner!


    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 30, 2008
    #6
  7. tooocinful

    tooocinful Private E-2

    First, I just wanted to say that this is the first forum I have posted to for help. As I stated in my original post, I have been searching for weeks for a solution (which led me to several forums including this one) and I downloaded anything and everything I found that I thought would remotely help me get rid of this trojan - that included Avenger, which obviously didn’t help much.

    So, far things have been OK Trojan-wise – no ZoneAlarm popups quarantining the trojan. I wanted to wait several days before responding, though, as it has been “dormant” for as many as 2-3 days before and then came back (prior to this last script fix).

    However, one of the things I forgot to mention (not sure if it’s a result of the trojan, but it started about the same time my system got infected) - it takes about 10 minutes for my computer to start up. It goes through the usual startup process until Windows starts to load, then the screen goes blank for several minutes, and then the Windows screen with the message that Windows in starting up appears and stays that way for several more minutes. It eventually goes into what appears to be screen saver mode, with the Windows XP icon floating around the screen. When I move the mouse, there is a window with an error message stating that the system could not log me on and to re-enter user name/password. (I do NOT have my system set up to do this since I am the only one who uses it.) When I click OK, that window disappears along with the log in screen behind it and then an icon appears with my user name that I then have to click on for my system to start – like the one I get on my laptop when it goes into hibernation mode when I close the laptop. From there the system start normally. Most of the time, I also have a svchost error message prior to the logon error message. As you can imagine, this is growing tiresome!

    Thanks again for all your help!
     
    tooocinful, Nov 4, 2008
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to finish doing what I requested in message # 6 and attach the follow up logs.


    NOTE: I strongly recommend that you change your boot up process to require a logon and password to be entered. It does not matter if you are the only user. When you don't require a login and password, you are leaving your PC open to infections being able to take full control of your PC since it has no password established for the user account. This means the infection can do anything it wants, including possibly changing your account to now need a password and you would not have the password. Thus, you would no longer be able to use your own PC.
     
    chaslang, Nov 4, 2008
    #8
  9. tooocinful

    tooocinful Private E-2

    Ooops - sorry! I did complete all the tasks, but I forgot to attach the logs! Here they are.
     

    Attached Files:

    tooocinful, Nov 8, 2008
    #9
  10. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Chas is on vacation so I will finish up with you. Your logs are clean.

    You may use this method to fix your log in problems:
    Bypass Log In.

    Further assistance with this can be found in the software section.

     
    TimW, Nov 10, 2008
    #10
  11. tooocinful

    tooocinful Private E-2

    Thanks - all set now. I have also traced the issue with the 15 minute start up time to my HP printer, so will need to clean uninstall, then reinstall. Still getting the error message about Windows unable to log me in, but that's minor compaired to the months of annoyance caused by the trojan downloader that is now gone, gone, gone! :-D

    Again thank you for all your help!
     
    tooocinful, Nov 27, 2008
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    On behalf of Chas, you are most welcome. Perhaps you should post in the software section for additional help with your log in problems. :)

    Do note that the administrator account became corrupted and you have a new one:
    Code:
    C:\Documents and Settings\"
ADMINI~1      Aug  6 2004              "Administrator"
ADMINI~1.CIN  Oct  8 2006              "Administrator.CINDY-P"
     
    TimW, Nov 27, 2008
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds