Trojan Downloader

I have been invaded by the trojan downloader. It is also accompanied with major ad-pop ups and actually downloads other programs.

I am running windows xp, and have mcafee virus and firewall. Well as soon as mcafee cleans it, it reappears. I 've tried spybot, windows defender, and all clean it, but it still comes back.

I'm wet behind the ears when it comes to this type of thing, any and all help would be appreciated.

 

Ok, sorry I didn't read that first.

 

Trojan Downloader Help

Hi all, again sorry for not following the "Read and Run Me First" Section
I think I followed all the instructions and since following this section the following things are occuring. I am attaching the logs per your instructions and hopefully you can help me out. Thanks Dawn

1. I still have adware in my taskbar, that can't be close, when you click on them, they go to a webpage
2. McAfee is still showing continuously that a trojan has been detected and cleaned
3. My computer is running very slow
4. I am not able to connect to internet explorer at all, having to use mozilla right now.
5. After completing steps, was no longer able to boot in safe mode (lost electricity after finishing, and when computer restarted, can no longer start in safe mode with networking)

My syster information is

Windows XP Home Edition 2002
Dell Dimension Dim 2400
Celeron(R) CPU 2.4 GHz
2.39 GHz 256 MB of Ram

 

Please stay in your original thread. I merged your threads.

Follow the directions for the following:
-SpywareQuake & SpyFalcon Removal Procedure
-Virtumonde aka Trojan Vundo Removal

Post the logs from SmitRem, and VundoFix; as well as a fresh HijackThis log.

 

Ok, just downloaded the things from the instructions. Now I really feel foolish asking this, but I have found the windows/system32 folder, and I see all the dll files, but I just started going down the list and am not finding these files you listed-------on my computer. Are these all suppose to be here? Just want to make sure. Thanks Dawn

 

If the files aren't there. they aren't there. Just continue with the procedure.

 

It appears the adware is gone after running the latest procedures, however the computer is running really sluggish and internet explorer still isn't loading. After going through the list of files to delete the only one found on my computer was spyquake2.com, which was deleted per instructions.

I have inclosed my smitfiles and current hijack log.

Again thanks for the help and sorry if some of my questions seem stupid. Dawn

 

Also there was no log for Vundo removal as there weren't any files. Thanks

 

As of today, the computer is back to redirrecting my websites, popups, and my mcaffee is constantly going on saying a trojan was cleaned and deleted. Not sure what to do now.

 

Follow the directions for the following procedures:
Running WinPfind by OldTimer
Using GetRunKey
Using ShowNew

Post WinPFind.txt, runkey.txt, and newfiles.txt.

 

I just ran all 3 scans and am attaching the text doc's, hopefully I did it right and you can see whats going on. Just want you to know, whether my computer ends up getting fixed or not, I really appreciate the help. By the way, should i be unistalling all these programs I've been downloading and do I need to save the text docs?
Thanks Dawn

 

Download
- Pocket Killbox
- ExplorerXP

<< The installed version of Java on this compter is out-dated. Install version 1.5.0_07 available from http://java.sun.com/javase/downloads/index.jsp. Uninstall all older versions of Java on your computer, before installing the latest version of Java. >>

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

I've just begun the process, but I got to this point below and only the 2nd file appeared in the misc tools section, do I just keep going?


In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:
Quote:
C:\WINDOWS\system32\ac7f560e.exe
C:\Program Files\Common Files\{0825CED8-0958-1033-1202-030512200001}\Update.exe
C:\WINDOWS\system32\DOBE~1\iexplore.exe

 

I proceeded with all the instructions although some files weren't there, and have attached a new highjack log.

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

sorry resent the same message twice

 

New HiJack Log

 

Start by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of sstqr.dll once and then click the kill button. After you have killed all of the sstqr.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.tmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Ok, I just finished your instructions.

Now when I first got the malware problem I was using internet explorer, the following things occured

1. I got adware pop ups
2. my website was being redirected
3. mcafee was constantly popping up saying it detected trojan downloader file
4. my computer was running extremely slow

So in order to get on line I've been using mozilla. Since I did your last instructions, I can't start internet explorer or mozilla, it says can't connect to the server---on both, and the computer is still running slow. However I rebooted in safe mode with networking and was able to connect to internet through mozilla.

I've attached my lastest hijack log. Am I doomed yet?


Dawn

 

Download Blacklight Beta from here:
http://www.majorgeeks.com/F-Secure_BlackLight_d5156.html

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of log.

 

It didn't show any hidden files or process, but I have still attached the log.

 

The sstqr.dll is still loading at system start. Follow the directions for the Virtumonde aka Trojan Vundo Removal procedure.

Post the log from VundoFix and a fresh HijackThis log.

 

Ok I ran vundo fix, and again no files came up, so theres no log to post. I still included a new hijack log.

 

Once again. Follow the directions for the following procedures:
Running WinPfind by OldTimer
Using GetRunKey
Using ShowNew

Post WinPFind.txt, runkey.txt, and newfiles.txt.

 

Here you go, after running runkey, the test box it was saving was empty, so I had to copy and paste and save to notepad in order to send you what the scan read.

 

Start by downloading two tools we will need

- Process Explorer
- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

Note: Some of the below processes may not be running on your sytem. In that case just skip the process and continue to the next process.

In the top section of the Process Explorer screen double click on smss.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of sstqr.dll once and then click the kill button. After you have killed all of the sstqr.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on winlogon.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on iexplore.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on rundll32.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Next double click on wrssdk.exe and again click once on each instance of sstqr.dll and kill it. (If you do not find the dll, just continue on.)

Repeat the above for geedc.dll and jkhfe.dll

Now just exit Process Explorer.

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini2
C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\cdeeg.tmp
C:\WINDOWS\system32\jkhfe.dll
C:\WINDOWS\system32\efhkj.bak1
C:\WINDOWS\system32\efhkj.bak2
C:\WINDOWS\system32\efhkj.ini
C:\WINDOWS\system32\efhkj.ini2
C:\WINDOWS\system32\efhkj.tmp
C:\Program Files\Common Files\{0825CED8-0958-1033-1202-030512200001}\Update.exe
C:\WINDOWS\Cnnvrcoubg.lsf
C:\WINDOWS\Dqcaupkgrgi.uwh
C:\WINDOWS\Izcmhgk.yvb
C:\WINDOWS\Khlwasc.vvf
C:\WINDOWS\Ldymqxsg.kon
C:\WINDOWS\Neibluv.hyl
C:\WINDOWS\Nqelqocwxi.rrf
C:\WINDOWS\Qapqpdbf.hsz
C:\WINDOWS\Qcwmonrkqg.iac
C:\WINDOWS\Qcwmonrkqg.iac
C:\WINDOWS\Quwhtveofd.zaa
C:\WINDOWS\SYSTEM32\btpanuib.dll
C:\WINDOWS\SYSTEM32\qommmlk.dll
C:\WINDOWS\SYSTEM32\ssqqrsp.dll
C:\WINDOWS\Wbadzoocvqm.cyl
C:\WINDOWS\YAXUninst.exe

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Followed all the steps.

The only 2 processes that were running from the list were

winlogon.exe
explorer.exe

I deleted the sstqr.dll files, but geedc.dll and jkhfe.dll weren't present.


At the end of the process, it did NOT say PendingFileRenameOperationsPrompt

After reboot, it did say some mcafee components were damaged and to reinstall, mcafee is still running, but I didn't know if I should do a reinstall at this point.

However was able to connect in normal mode to the internet through explorer and mozilla (I couldn't before), and it doesn't appear to be running as slow as before, I would say there was a 50 percent improvement.

I have attached the lastest hijack log

Thanks Dawn

 

Yes, your McAfee installation appears to be damaged. A uninstall, reboot, and install may be in order.

Uninstall the P2P application Ares.

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot

Post a fresh HijackThis log.

 

Ok, do I need to unistall all the McAfee components? Theres 3 in my add/remove programs,
(Firewall, virus scan, and the security center), Also I though I already uninstalled Ares, as it's no longer in my add/remove programs, and the only icons for it, are to set it up.

Thanks Dawn

 

It is best to uninstall everything then reinstall. Make sure you are not connected to the internet while do this.

 

Ok, reinstalled McAfee and have run a new hijack log. Sorry it took so long, my work hours have been crazy.

Thanks Dawn

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot

Post a fresh HijackThis log.

 

Ok here's the new log. Thanks Dawn

 

Your HijackThis log is clean.

How is your computer running?

 

Everything (programs and internet) seems to be working ok, I'm not experiencing the popups or the redirecting of the websites, however it seems to be running a little sluggish, slower than usual. When I click to open internet explorer or microsoft word, I get a blank screen and it takes longer to load.

 

The biggest drain I see on your system is the AOL Security Suite.

 

Yes I really don't have a lot of stuff on my pc. However I got mcafee virus and firewall through aol, so I have to have it. When I unistalled it and reinstalled it, AOL has different format. Before it was mcafee and all my updates went through their site, now it's AOL powered by mcaffe. So now it goes through aol and not mcafee. I regret unistalling mcafee now, but I had no choice, it was damaged.

But I have dsl, and going from 1 page to another is very slow, should be quicker. I don't understand whats going on. Don't misunderstand, I'm grateful to be running at all, lol.

Did you ever determine what I got that caused this whole mess? I know I clicked something trying to close out a website and it downloaded immediately without the cancel,save,run option.

Just curious, thanks Dawn

 

You had a variant of Virtumonde (Vundo), also know as Wnfixer and WinAntivirus, that is particularly difficult to remove. We've been seeing a lot of these lately. You may have gotten infected in a drive-by installed. Systems that don't have teh latest version of Java are susceptible to this type of infection.

Your last group of logs show the system is clean. Is it slow or just seems to be slow?

 

No, it's running slow. When I click on the start menu, and click on anything, the start menu stays up, like it's frozen or something, and then internet explorer or the program I click on doesn't load for a couple minutes. The whole time the start menu remains up. Thanks Dawn

 

OK, download both of these again; as the have been updated since you last downloaded the tools.

Using GetRunKey
Using ShowNew

I'll take another look, see if there is something that wasn't showing previously.

Post runkey.txt and newfiles.txt.

 

Heres the both the logs. Thanks Dawn

 

Uninstall the following:
Cowabanga by OIN
Yazzle by OIN
YazzleActiveX By OIN

Boot to Safe Mode and delete the following:
C:\WINDOWS\temp\t1155009832.dll
C:\WINDOWS\temp\t1155009832.exe
C:\WINDOWS\temp\TMP00000109FDBB6364975F754A
C:\WINDOWS\temp\TMP00000014C248FB029EE7ABA8
C:\WINDOWS\temp\TMP000000187C333E5195FB169D
C:\WINDOWS\temp\TMP00000016904EDF12E56CF6BE
C:\WINDOWS\temp\TMP00000017C593D54FD6F77520
C:\WINDOWS\temp\TMP00000015D8C9731E2ADB83B1
C:\WINDOWS\temp\TMP00000019E15CA2BDF90516DB
C:\WINDOWS\temp\TMP0000001355DBA34F18C2EB10
C:\WINDOWS\temp\TMP00000073AE970CEC0DDE81FC
C:\WINDOWS\temp\TMP00000012F7E263E4D5B027AA
C:\WINDOWS\temp\TMP0000001807E3AAC64AA8C5A3
C:\WINDOWS\temp\TMP00000011E688AEFA2344B6AB
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155007361.dll
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155007361.exe
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155009844.dll
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155009844.exe
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155009845.dll
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155009845.exe
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155009850.dll
C:\Documents and Settings\Dawn Bingham\Local Settings\Temp\t1155009850.exe

Run CCleaner

Reboot

How is your computer running now?

 

Ok, well I'm not sure how this is possible at all, but here goes.

I woke up the next day, and at this point I hadn't done the last instructions you gave me yet, however the speed seems to be back to normal. However I still went ahead and did the last instructions you gave. I'm not sure, but I think it's back to normal Hopefully that being said, this doesn't jinx me. Now I got to start on my moms, lol.

But I did have 2 more questions to ask...................

1. Should I get rid of the aol mcafee virus scan and firewall and purchase it directly from mcafee? I want to be sure my computers protected and I'm not sure of aol. Any recommendations?

2. I think what your doing to help people out is great, is there a way I can make a small donation (as I'm not a rich girl, lol) to say thanks for all your help?


Anyway thanks so much, and hopefully my issue is over with! Your my hero Shadow!!!!!!!!!!!


Thank you Thank you!!!!!!!!!!!!!!!!!!!!

Dawn

 

You should dump the AOL Security Suite entirely. No, don't purchase McAfee. The people who write viruses test them agaist the top selling AV applications, which are Norton, McAfee and Trend Micro, before releasing the virus into the 'Wild'. These applications miss roughly 50% of all malware in the wild. What we recommend can be found in How to Protect yourself from malware!

Thanks for the vote of confidence. No, we don't have a system in place to accept donations.

You're welcome.

One lasst thing to do, flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore

Safe surfing.