Universa dialer/trojan

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Searinox, Feb 28, 2006.

  1. Searinox

    Searinox Private First Class

    I have just recently become infected with a type of malware that neither Norton AntiVirus 2005 nor Ad-Aware SE 1.06r1 can detect. I've also tried ewido, and again no result...

    Every 5 minutes or so programs called "win****.tmp.exe" in my "Windows\Temp" folder start running. My ZoneAlarm firewall thankfully picks them up and warns me. If I let any of them run they download a program whose name I forgot(something with G, a few numbers .exe) which Ad-Aware picks up as a trojan.

    The malware has also placed a new dialup connection in my Network Connections which dials "1". I have removed that. Upon inspecting the properties of the .tmp.exe files I've seen that they are all described as "Universa Application", language = dutch, version =1,0,0,0, and original file name = universa.exe.

    Another note I must make is that I've been studying their behaveiour. Regedit.exe is opened and closed twice by the system whenever one of these apps is initialized.

    If anyone can help me please cause this is getting really frustrating. I can't even leave my computer on unattended for 2 hours because although my firewall blocks the .tmp.exe files, if they can't get through more of them are made and run, each eating up about 8MB of ram, and my computer goes crash, so I have to keep my task manager open all the time and kill them whenever they pop up.

    I am running Windows XP Professional SP2, all the latest windows updates installed.

    And you may not know me, but I've been visiting this site alot since the beginning of summer. Google has taken me here in my searches to remove spyware many times, and I have used advice found around here alot.

    Here is my HijackThis log from a point where I let one of them nasty .tmp.exe files run. Hopefully having it "caught in the act" on the log will further help...
     
  2. Searinox

    Searinox Private First Class

    Sorry about double posting, but apparently I did not attach my HijackThis log to the post within the 5 minute limit. o.=.O;; ...anyways here it is.
     

    Attached Files:

  3. Shadow_Puter_Dude

    Shadow_Puter_Dude MG Authorized Malware Fighter

    Welcome to MajorGeeks.com!

    Yes your HijackThis log does indeed show an infection. However you have not completed our tutorial.

    Please follow forum guidelines and perform cleaning steps in the sticky thread before posting HijackThis logs.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
    • Make sure you check version numbers and get all updates.
    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:


    Downloading, Installing, and Running HijackThis

    When you return to make your next post make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
     
  4. Searinox

    Searinox Private First Class

    No more need, thank you. I have tracked down the culprits through Regedit and disabled the malware myself. I then used the BD and panda online scanners to remove what other stuff was left on my computer. It is working fine and clean now.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds