trojan-spy.win32mx problem

dade · Oct 25, 2006

Guys

have this problem on the bosses laptop.

keep getting a balloon in the task bar telling me i have above trojan.

http://i100.photobucket.com/albums/m26/alanlawless/popups.jpg

it doesnt seem to be coming from our office AV because the last admin didnt install any on this machine.

Also not sure if its related but when i try a windows update im getting the following

http://i100.photobucket.com/albums/m26/alanlawless/ieerror.jpg

Ive ran spybot and it found

gain.dashbar
Zlob.homepagemonitor
GAIN.gator
pesttrap

and removed them then i ran Ad Aware it found the following first time

MALWAREWIPE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[129]=Regkey : clsid\{9dfd0a51-6176-5770-217c-a5bcd7e6f3e2}

SPYWARESTORMER
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[130]=Regkey : clsid\{205ff73b-ca67-11d5-99dd-444553540000}

VIRUSBURST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[131]=Regkey : interface\{fd34eb96-89fa-43cc-9c37-d1d5b099d28f}
obj[132]=Regkey : interface\{f7f932d6-a6be-4273-9950-ecbd72170dbf}
obj[133]=Regkey : interface\{ee2eac90-8b01-49d4-b46c-8e02bda1f3b4}
obj[134]=Regkey : interface\{d648067c-e5d2-4bb8-ad86-a993b8793a52}
obj[135]=Regkey : interface\{d0722752-35b5-44e1-a14a-e2a44c41f509}
obj[136]=Regkey : interface\{ca74bafc-1f0c-49b1-8a76-5d55085e71fb}
obj[137]=Regkey : interface\{c36464a1-2d2f-4804-aaf6-f5bd62536adb}
obj[138]=Regkey : interface\{bf8a0e53-f417-413a-b849-b5c0086eef8a}
obj[139]=Regkey : interface\{b660cde9-526e-41fe-ab41-773d78bee31e}
obj[140]=Regkey : interface\{9188a88d-3d41-4eb6-a7d8-0f6a5266f685}
obj[141]=Regkey : interface\{6b067ed9-4aec-474e-b67e-85ef417d68ba}
obj[142]=Regkey : interface\{4f4a0564-17de-4eb2-b29e-6d2e167a3be0}
obj[143]=Regkey : interface\{4130008c-5697-4ef5-9ede-ef8f9f10d524}
obj[144]=Regkey : interface\{3e37c978-9e24-42fa-b021-b56caafdb694}
obj[145]=Regkey : interface\{19dacf08-a207-4271-aa22-c138f512e787}
obj[146]=Regkey : interface\{0065cdbc-2439-4365-a7e7-bf5b853bf49d}
obj[147]=Regkey : clsid\{d6ecda42-ad6f-f8c3-03ea-5834841adec3}

ADWARE.GAIN.DASHBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[148]=RegValue : software\microsoft\internet explorer\main "Search Bar"
obj[149]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057870.dll
obj[150]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057871.exe
obj[151]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057872.dll
obj[152]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057873.dll
obj[153]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057874.dll
obj[154]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057875.dll
obj[155]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057876.dll
obj[156]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057877.dll
obj[157]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057878.dll
obj[158]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057879.dll
obj[159]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057880.dll
obj[160]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057881.dll
obj[161]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057884.dll
obj[162]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057885.dll
obj[163]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057886.dll
obj[164]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057887.dll
obj[165]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057888.dll
obj[166]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057889.exe
obj[167]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057890.exe
obj[168]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057892.exe

but nothing the second time. same with spybot.

Also installed AVG and found

downloader.zlob.eom
downloader.zlob.eok
generic3.ewr

all in c\program files\pornpass manager I deleted this folder before but it seems to reapppear there was actually an uninstall option in add remove programs so i used this. there was also an app in "c\program files" called virus blaster there was just an exe file here so i deleted the folder.

HiJackThis Log after all the above

Edit: Removed inline HJT log for guide to be actioned

any help at all would be great

DavidGP · Oct 25, 2006

Hi and Welcome

Best option and the one we do insist on being run first as it gives us a known base to start from and all the relevent info on what infections are infesting the PC, is to follow the below guide.

The infections that are highlighted in the obj[149]=File : C:\System Volume Information\_restore{B42A8BEA-1977-4C5B-A298-8E364ADD95E3}\RP110\A0057870.dll lines are stored in the System Restore points and are safe their for the moment until all the other malware has been removed first, then those can be flushed by turning off System Restore and turning it back on again ( BUT dont do that yet )

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

CounterSpy - ONLY IF you were not able to run Windows Defender

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

dade · Oct 26, 2006

Halo said:

B]

CounterSpy - ONLY IF you were not able to run Windows Defender

Bitdefender - from step 6

Panda Scan - from step 6

runkeys.txt - the log from GetRunKey.bat

newfiles.txt - the log from ShowNew.bat

HijackThis

[/LIST]NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!
Click to expand...

ok ran through that and attaching first lot of\files

dade · Oct 26, 2006

two other files

dade · Oct 26, 2006

sorry about all the posts my time limit keeps running out

ran ccleaner
ran spoybot for the second time came up clean
tried windows defender but couldnt update it. so tried counterspy. see previous post for log.
then did bitdefender

after that was panda online (previously posted)
then ran

getrunkey and shownew.

checked out the special removal section and tried teh instructions for Win32.zlob because it was previously found in spybot and in AVG scans, but found nothing there.

finally ran hijackthis and have attached log.

popups seem to have vanished now. I still have the issue using the windows update site.

DavidGP · Oct 26, 2006

Hi you will need to re-run Hijackthis as it was not run as per the guide in that it needs its executable name, re-named as many newer malwares will not show up.

C:\hijackthis\HijackThis.exe needs to be C:\hijackthis\analyze.exe

dade · Oct 26, 2006

ok thats done and attached

chaslang · Oct 28, 2006

I'm going to post two sets of instructions below. Each will be enclosed in separate Quote boxes. Make sure to complete the first one 100% before moving on to the second one.

STEP 1: Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note:process.exe ( which is used my SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consulting/proc...processutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!
Click to expand...

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING. Ask any questions that you may have before starting.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. Again, if there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Reboot your computer into Safe Mode : Starting your computer in Safe mode

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Now reboot into normal mode and attach this new rapport.txt log here.
Click to expand...

Now attach new logs from:

GetRunKey

ShowNew

HJT

How are things working now?

dade · Nov 1, 2006

OK rapport 1 is the smitfraudfix report for the first step

rapport 2 is the log for stage 2

also included new hjt log

system seems to be running fine now.

dade · Nov 1, 2006

runkeys and show new logsattached

chaslang · Nov 3, 2006

Your logs are clean!

If CounterSpy is the free trial version from the READ ME, you should uninstall it now unless you are going to buy it.

You also need to Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 3

Now install the current version of Sun Java from: Sun Java Runtime Environment

If you are not having any other malware problems, it is time to do our final steps:

If we used Pocket Killbox during your cleanup, do the below

Run Pocket Killbox and select File, Cleanup, Delete All Backups

If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.

If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.

If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.

If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.

You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created

If you are running Windows XP or Windows ME, do the below:

go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.

Then reboot and Enable System Restore to create a new clean Restore Point.

After doing the above, you should work thru the below link:

How to Protect yourself from malware!

dade · Nov 3, 2006

cheers mate i'll take care of all that today. thanks for the help

chaslang · Nov 3, 2006

You're welcome! Surf safely!

Log in or Sign up

trojan-spy.win32mx problem

dade Private E-2

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

dade Private E-2

Attached Files:

Activescan.txt

newfiles.txt

runkeys.txt

dade Private E-2

Attached Files:

counter.txt

hijackthis.log

dade Private E-2

Attached Files:

BitDefender Online Scanner -Scan Report.txt

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

dade Private E-2

Attached Files:

analyse.log

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dade Private E-2

Attached Files:

rapport - 1.txt

rapport 2.txt

hijackthis.log

dade Private E-2

Attached Files:

newfiles.txt

runkeys.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

dade Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member