Trojan Horse Downloader & _iu14D2N.tmp

Hey guys!

Yesterday, while running a routine AV scan, AVG discovered Trojan Horse Downloader Ist which it immediately "healed." I rescanned my computer with AVG, Ad-Aware and Spybot S&D (all in safe mode and updated) and finally with Panda ActiveScan; however, it failed to detect anything else.

Trying to be thorough, I ran a Bit Defender online scan and it uncovered wineil.dll but failed to fix and/or delete it. Not being able to erase it manually (not even with Explorer XP and in Safe Mode) I opted to install - update - and run (safe mode) Ewido Antimalware which efectively detected wineil.dll / High Risk / Trojan Agent.qt in C:\WINDOWS\system32 and deleted after rebooting. I rescanned for a third time using ALL of the aforementioned programs, and to my relief, the results were pristine.

HOWEVER... today ZoneAlarm Pro started to act up: services.exe requesting to load drivers (NMSCFG), launch programs (alg.exe) and use the internet (which it had never done before) Viewing the program list in ZA Pro, two files keep appearing, named _iu14D2N.tmp and GLB1.tmp so I deleted them from the list, but they reappeared after I rebooted my PC, so clearly something is loading them back up. Searching for the files (show hidden files is ON) I still cant find them.

If AVG, Adaware, Spybot, Ewido, Panda and Bitdefender cant detect these files what is the best tool I can use to detect and remove them?

___________________________________
Windows XP Professional - SP2
Intel Pentium III
512 MB Ram
___________________________________


PS - Since all the antimalware scans came back clean I'm attaching an HJT log so maybe you can take a look and help me out.

 

Hey Chaslang!

Like I said before, AVG found and healed Trojan Horse Downloader Ist then Bit Defender uncovered wineil.dll but failed to fix and/or delete it, so I ran Ewido which efectively delete it.

I then rescanned my PC following ALL the steps in the READ & RUN ME but all of those tools showed there was no infection now. (Thats why I didnt post any of the results: they all showed no infection)

Despite the the positive results from all these scans, ZoneAlarm Pro started to show services.exe requesting to load drivers, launch programs and use the internet (which it had never done before). In the program list _iu14D2N.tmp and GLB1.tmp kept reappearing after every reboot, even after deleting them from the list several times.

I went ahead and spent all night rescanning my PC following your read & run me guide. I've attached all the results.

Thank you in advance for taking a look at them, and helping me out.

 

Attached is the fresh HJT log I still owed you. Dont know if you need anything else...

(BTW - Here is a screenshot of the clean results from Ad-aware, Spybot and the Malicious Software Removal Tool)

 

WPDShServiceObj.dll
C:\WINDOWS\system32
Size 51.0 KB (52,224 bytes)

Company: Microsoft Corporation
File Version: 5.2.5358.4826 (WMP_11.060419-0011)
Internal Name:
Language: English (United States)
Original File Name: WPDSHSERVICEOBJ.DLL
Product Name: Microsoft® Windows® Operating System
Product Version: 5.2.5358.4826

Since AVG hopefully caught that Trojan Horse Downloader Ist in time, I cant really say there have been many symptoms; except of course, if you count the mysterious appeareance of wineil32.dll and the persistence of _iu14D2N.tmp and GLB1.tmp in the ZoneAlarm program list, despite having been deleted from it, again and again.

Now, wineil32.dll cant be found anywhere on my 'puter ; however, the two tmp files keep on reappearing in the ZA program list. In order to prevent either of the two accessing more resources I opted for using the [Kill] Trust Level. Since then, no more ZA popups from services.exe requesting drivers, programs or access to the internet.

(New HJT log attached)

 

Any idea as to why those two temp files keep reappearing after every reboot, and why was services.exe all of a sudden requesting to load drivers (NMSCFG), launch programs (alg.exe) and use the internet?

The popups only stopped as soon as I used the Kill Trust Level in the programs list.


EDIT: There's a Windows alert stating that the temp files cant be found... (Attachment)

 

Yes and yes! I updated the drivers for the Intel 82815 Graphics Controller and the Intel PRO/100 VE Network Connection, about a week ago from the Intel Website. Could that be it?

When I right clicked the temp items in the Zone Alarm program list, and selected [Properties] the popup saying those files can't be located, showed up. Pressed [Ok] and it went away.

 

Here's something I neglected to mention previously -->

Right after AVG healed the Trojan Horse Downloader Ist and Ewido deleted the wineil32.dll, ZoneAlarm Pro started showing up all these popups having to do with MsMpEng.exe (Windows Defender) so I uninstalled Windows Defender thinking that the Trojan somehow got to those files. Shortly after uninstalling Windows Defender the services.exe popups started to appear.

I did a quick google search on the temp files that ZA listed in their Program Control section, and both of them (_iu14D2N.tmp and GLB1.tmp) showed up as possible malware.

 

Did installing new drivers for my network and graphics cards have anything to do with all this?


Edit: Attached is the WinPfind Log

 

Yes, Chaslang I updated both my network and graphics card drivers about a week ago from the Intel Website (Look at Post #11 )

• Intel 82815 Graphics Controller
• Intel PRO/100 VE Network Connection

 

I just brought it up cuz you asked me if I installed new drivers, thats all...

As for the tmp files the problem was that they kept reappearing after I deleted them and rebooted, as soon as you said they really weren't malware (which was my main concern) I just deleted them from the ZA list, and forgot about them.

I'm guessing that the WinPfind log was fine, so I just want to thank you for all the advice and time spent helping me out. Really appreciate it Chaslang.

Take care man.