Trojan-Downloader.JS.small.af found

My set up is home network with Roadrunner service into Surfboard Cable modem into Linksys BEFW11S4 ver 2, WEP enabled, 3 computers with shared folders and two printers on the network:

hardwired 1 Gateway desktop, new Dec 2004, running XPHome with SP2
wireless 1 Dell Laptop, new Dec 2003, running XPHome with SP2
hardwired 1 Dell running 98SE, new around Fall 1999

All are running KPFirewall and NAV (slightly different versions of NAV for each, but all updated for signatures etc regularly). I try to regularly run Spyware Blaster, AdAware-se, and Spybot.

What started this particular event was NAV found a file during routine scheduled scan of my Gateway.

Source: C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZFYN25EB\translate_c[1].htm
Description: The file C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZFYN25EB\translate_c[1].htm is a Adware threat.

And then I found a site that suggested running MWAV, so I installed version 5.1.1 and ran with default settings. Here is the critical info lifted from the large MWAV log:

Tue Mar 08 22:25:31 2005 => File
C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\ZFYN25EB\a570a171[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.

This really got my attention. The MWAV program said I could buy MWAV and repair this, but I did not know if that was the right course of action.

I unplugged that computer from the home network, so it is now isolated. Note that when I ran MWAV on my other computers they did not have the ' "Trojan-Downloader.JS.Small.af" Virus' signature.

I ran Hijack this on the Gateway (though I did it in "not-Safe" mode before I read the guidelines), and have read the HijackThis Log Tutorial but am having difficult time decrypting/understanding. I did find something in the 020 section which I am wondering about:

020 - Winlogon Notify: igfxcui – C:Windows\System32\igfxsrvc.dll

I hope providing just this one is OK, I apologize if I made a mistake.

I read your “How to: Spyware, Trojan, and Virus removal” document which I plan to do ASAP (tonight & tomorrow) for all my computers, but are there any considerations for a home network such as I have? Today I was wondering maybe ALL my computers could be infected/zombied through the home network?!? Or is there anything else I should do? Thanks for any help.

 

A little about your trojan:
Trojan

As far as:
020 - Winlogon Notify: igfxcui – C:Windows\System32\igfxsrvc.dll
Go here to get info:
igfxsrvc.dll

I'll give you the standard spiel. After you finish the TUTORIAL send us a HJT log.

We ask that you please try to work through the following TUTORIAL first.
This site has alot of good tools for cleaning up your computer. It's very important that the first thing you do is the following:

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal.
If you already have any of the programs linked in the tutorial please double check your version to make sure you have the latest one and that you have any/all updates for the programs.

NOTE: In order to resolve the issues you are having it is very important that you at least try to perform all the steps as outlined. If you have any difficulty please post back letting us know what steps you have completed, what you found while doing the scans if anything and details about any problems you have encountered in completing the steps. The more details you can provide the better.

Try this... you may find it's all you need. If not post your results and I am sure someone wll help you. Everyone is quite busy, as you can see by the number of posts, so hang in there. Good Luck!!

After doing ALL of the above if you still have a problem:

Make sure you have HijackThis 1.99.1 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, INCLUDING YOUR WEB BROWSER, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder for example C:\Program Files\HJT

 

1 HijackThis attached - Troj_small and Troj_Dloader also found!

Thanks for the info! Worked on my computers until about 4 am doing the "READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal" stickey for my 3 computers. The Trend micro step found and deleted trojans on my other 2 computers also!! All 3 computers have been processed. Note that I am trying to keep unplugged from the net unless I am doing this kind of thing. Please advise if this is needed?

For the original problem computer:
The Trend Micro step found and removed 9 virus
: virus Java_bytever.b (1) ... and then 8 others same name ending with (2) or (3) etc.
Symantec online found Translate_c[1].htm is infected with Adware.cdt (this one started this adventure)
CCleaner removed 681 MB of stuff
AdawareSE full system scan found only 12 negligibles
Spybot found DSO exploit made 4 registry changes (fixed those)
Avert stinger (sorry, did this in wrong order, I will repeat if I should) found no problems, found 144934 clean files
CWshredder -> clean
Kill2me -> no sign of infection
TrojanScan - of memory and C: -> no sign of Trojans
RAV -> no viruses found

I am attaching the Hijack this file for the original problem computer. Let me know if I should provide similar info and attach Hijackthis files for the other 2 puters as well, and if so should I attach them separately?

I am seriously considering doing clean installs on all 3, and modifying my home network security, usage guidelines, and strategy...

 

Let's clean one computer at a time. You can post another HJT for the next one after we are done with this one. Stay in the same thread. We will get you started on a fix today.

 

Are you still having problems with this computer? If so what are they. Let's fix these few items.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Again, make sure All Browser Windows are Closed when you Click FIX.


Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Thanks, that was easy to do. That computer seems quicker than before... And sorry I took a while - I have been wrestling with my router a bit to try to increase security. I do not understand exactly how trojans, removal programs, hijackthis, etc, work, and so I am a more than a little bit paranoid .

I have had some maybe unusual events going on, for example, recently I had a web site (some security site I believe) tell me my internal IP was showing, and that might be a problem. I am trying to figure that out, seems unhealthy...

And I found this in my Norton worm internet protection log (probably just your usual blocking going on?):

Date Message
3/12/2005 2:55:28 PM Rule "Default Block Bla Trojan horse" blocked communication

Details: Rule "Default Block Bla Trojan horse" blocked communication.
Local address: All local network adapters(1042).
Process name is "C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe".

And the same thing seen 3/11/2005 4:21:06 PM, but maybe this happens all the time? Some misreading of Kerio Firewall?...

And during startup with this computer I am getting a box saying "Windows Installer preparing to install..." though nothing actually hapens, and then a box overlays that first box saying "Norton Antivirus 2005 does not support the repair feature, please uninstall and reinstall" - not sure what it is I am supposed to uninstall and reinstall, but at this point I am afraid to install anything (potential trojan?) that I don't understand..

Being newby, I am concerned that someone has my address in their sights, or that this might be consistent with worm/trojan/backdoor activity, so I was trying to change some of my router settings, my first thought was enable MAC addressing instead of DHCP.

Sorry about the confusing email. Thanks for the help.

ps - sorry, quick edit - should I go ahead and send hijack this file for another computer?

 

Submit HJT log for the same computer. I probably will clean up a few R0 and R1 lines and reset your web settings.. Let me take a look at the new HJT- same computer.

 

Here is the next HJT log for the same computer.

 

You look good to me. Are you having anymore problems? I will add one more fix but it is optional. If you decide to do it, do it all or none. Whatever you decide, go here and get your computer more protected. Protect youself

If you recognize these addresses and want to keep them then skip this fix completely and we will move to the next computer. Do the READ ME on it and submit a HJT log.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...aults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com

Again, make sure All Browser Windows are Closed when you Click FIX.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Also, to be sure your clean from any "hidden" trojans that will not show up in a HJT log. You can run TrojanHunter.

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

 

Thanks for the suggestion, I downloaded and it came back clean,with two issues:
1) it couldn't scan 8 files like this (just add in 1, 2, 3, etc after "DSOExploit"):
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip
2) it couldn't scan:
C:\hiberfil.sys Not scanned (in use by another application)
C:\pagefile.sys Not scanned (in use by another application)
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Not scanned (in use by another application)


Also ran TrojanScan online last night and it came back clean.

Trying now to get Adaware to run completely on the next highest priority computer (1999 Dell XPST 450 98se ) - it runs (regular or safe mode) only until it get into conditional scans. The rest all in safe mode: Spybot S&D'd came back clean and immunized OK, and ran CWshredder and Kill2me and aboutBuster and all had no problems.

 

Also, as soon as I get the Adaware run I will attach the next HJT file.

 

Computer #2's HJT file

Here is attached the next HJT file (2 of 3 expected). This is from Zippy, my Dell Inspiron 2650 laptop, running XPhome. (Note that the 1999 Dell computer I really want to send the HJT file for keeps freezing during the Adaware configuration scan step - strange because it was working fine yesterday - then I uninstalled it and then reinstalled it, plus the other programs needed for the repair, in the recommended location. Still trying to figure that out...)

Meanwhile, I have run the "Read me first..." stickey programs on Zippy. The following all were run in Safe mode. This computer came up trojan positive using TrendMicros virus scan in safe mode:

I wrote down that it was called:
Troj_Small.gl -> TrendMicro removed it successfully (it was gone on rescan).

The file the trojan was detected in was:
c:\Recyclers\s-1-5-21-126639907-2317538923-1809067083-1011\Dc42.e

TrendMicro security/spyware check found 18 critical cookies which were removed, and no viruses. The Symantec check came back negative, AVERT stinger found 135040 clean files. CCleaner removed a lot (can't remember#) files. Adaware found 1 problem (removed), Spybot fixed a few problems found and immunized the puter, and I ran spyware blaster, CWshredder, and Kill2me (nothing came up for the last two).

And here is the HJT from safe mode scan.

 

Do not submit HJT from safe mode. The reason is that some of the problems may not show up. What problemsare you having with this computer?

 

Ack, sorry about that, makes sense - I skipped that sentence this time.

Brief recap - I found a trojan on 1 computer on my home network (3 computers), so I checked the other 2 and found they also had trojans. There were no obvious severe symptoms like some people are having - just minor things, like this computer now beeps every once in while for some unclear reason (a symptom of infection I read somewhere). I just want to make sure that, having found the trojan on this computer, that there is nothing lurking gathering things it shouldn't, or using my computers to attack others.

Here is the reg-mode HJT file - bunch of things I don't recognize here. Sorry about the misteps... Thanks!

 

Do you recognize the following lines:
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FB16A80-B1FF-4676-BAC2-4B17928DD743}: NameServer = 10.10.10.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1FB16A80-B1FF-4676-BAC2-4B17928DD743}: NameServer = 10.10.10.1


Do you have a program on (maybe Spybot) that is restricting the changing of a home page. If so turn it off for the following fix and then you can turn it back on when you reboot to normal mode at the end.
We recommend that you get rid of WildTangent.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

WildTangent

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

Do you recognize this next line? If not fix it.
O16 - DPF: {31FD415A-1103-4329-B323-2DE693146C4E} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\Program Files\WildTangent--->The Folder

If you get an error when deleting a file, right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log. You can turn your home page restricter back on.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Thanks much, I followed your instructions, and attached here is the HJT file.
I think the only potential complication is that I may have set up to restrict my home page changing, but I don't remember, and I couldn't find that function on Spybot. I hope this worked OK without the step of removing restriction?
The Spybot result was "no immediate threats were found".

If this one is done, I just have to get Adaware (stalls even all night at "conditional scans" stage) to run on my 3rd puter so I can finish that one too . Thanks!

 

Are you having any problems. Log looks good to me. You didn't answer my question tho.

If these are not a problem we can move on. Do the READ ME for the next computer and send HJT log.
You should check this out now: How to Protect yourself from malware!

Once everything seems OK be sure to turn System restore back on.

 

OK, Computer #3 next?

Seems OK, no problems as far as I can tell .
Also, sorry, I believe those "017"s are ok - that IP is my current router address. Thanks for the mallware info.

About the next computer ... I have run the READ ME except that I can't get Adaware to complete. Adaware seems to run apparently fine until it gets to the "conditional scans" step and then it stalls. I have tried it in regular and safe modes. I even let it run all night, and it still seems stalled - it doesn't always stall at exactly the same # objects scanned, but it is always around 120000 objects scanned. There are 3 critical objects at the stall point but since Adaware doesn't complete there is no opportunity to fix them.

In the scan summary it gives some non-random numbers....:
Objects scanned = 1234567890
Objects ignored = 4
Objects identified = 99999
Total new objects = 99 (it says this last one twice).

Adaware used to run fine - I am not sure when it began to act funny. Suggestions welcomed for how I should proceed? Thanks!

 

Go ahead and post the HJT if you have done the rest of the READ ME. Two down - one to go.

 

OK, here it is...

 

Please go here Geek and type in internat.exe. Look at the info and compare their startup names to yours and tell me what you think. You probably are OK but check it for me. Are you having any problems execept for Adaware scanning?

 

Thanks Geek is very useful site! I think everything makes sense in the HJT log (though I want to check the details and remove some unessentials in there) - the fine tuning will take a little while... this is all very interesting, so I like it in some strange way ...

Seems no problems except Adaware. I have searched around at the Lavasoft support site and Googled on this but haven't seen anything quite like this problem yet. I uninstalled and reinstalled Adaware, didn't work... and I have defragmented the drive and rerun Adaware (a suggestion for someone elses problem) but that didn't work. I could be wrong, but currently I feel like things are basically under control here in my lan, and that the Adaware problem is most likely an incompatibility I can figure out rather than an infection issue. If you think it makes sense, I would be happy to relinquish your help so you can help the many others who seem in more dire need, or maybe get some sleep, seems you are always on line helping... Thank you very much in any case!!!!!

 

Your Welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

It wouldn't hurt to fix some of the R1 lines.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINDOWS\system32\shdocpe.dll/asst.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://127.0.0.1:8080/proxyconf
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=127.0.0.1:80;gopher=127.0.0.1:80;https=127.0.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

Again, make sure All Browser Windows are Closed when you Click FIX.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to what you want or something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Once everything seems OK be sure to turn System restore back on.

Good luck

 

Removed the R1s - those were on my list to probably fix too but I hadn't finished investigating - here is the last HJT file - hopefully I won't need your help again, but it is good to know you all are here! I'll use this as one of my general useful sites to track. Thanks again.

 

Your welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

If everything seems to be working OK then turn system restore back on.