WinFix 2005 & Troj_crypt.n

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by jreid, Oct 15, 2005.

  1. jreid

    jreid Private E-2

    I've completed all the steps 1 thru 7 to remove spyware and malware.
    I was able to run everything in safe mode.

    I'll complete step 9 as soon as I know this crude is off my computer.


    I have attached the logs for Bitdefender as well as the HiJack This log.
    The following is the log for RavAntivirus:
    Scan started at 10/15/2005 11:06:35 AM

    Scanning memory...
    Scanning boot sectors...
    Scanning files...
    C:\WINDOWS\system32\Rlstard\bot.txt - IRC/Generic* -> Suspicious
    C:\WINDOWS\system32\scortyinb\psexec.exe - Backdoor:Win32/Sdbot -> Infected
    C:\WINDOWS\system32\scortyus\psexec.exe - Backdoor:Win32/Sdbot -> Infected
    C:\WINDOWS\system32\secortiy\psexec.exe - Backdoor:Win32/Sdbot -> Infected

    Scanned
    ============================
    Objects: 90558
    Directories: 7339
    Archives: 1937
    Size(Kb): 2024591
    Infected files: 3

    Found
    ============================
    Viruses found: 1
    Suspicious files: 1
    Disinfected files: 0
    Mail files: 112


    Trend Micro's virus scan found the Troj_crypt.n virus in
    c:\windows\system32\sstt.dll

    I found the entry in HiJack at line 020 winlogon notify: HiJack found another as well but I'm not sure about that one. It was not found in any of the scans. I was going to remove both but I though I'd better upload my logs and see what you guys suggested first.

    Thanks
    jreid
     

    Attached Files:

  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You have a load of problems. Let's start by following the steps in the below link. The two lines you will be concerned with while running these steps are:

    O2 - BHO: MSEvents Object - {52B1DFC7-AAFC-4362-B103-868B0683C697} - C:\WINDOWS\system32\ssttt.dll
    O20 - Winlogon Notify: ssttt - C:\WINDOWS\system32\ssttt.dllC:\WINDOWS\system32\ssttt.dll

    Virtumonde aka Trojan Vundo Fix w/ Tool

    After that post a new HJT log and we will continue with you other problems.

    Is [AccuWeatherDesktopAlerts] something you knowingly installed?
     
  3. jreid

    jreid Private E-2

    Yeah I thought there were a lot of problems.

    I had AccuWeather on my computer at one time but have since removed it that [AccuWeatherDesktopAlerts] must not have deleted.

    I attached the new log.
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Is your antivirus up to date with current definitions?

    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
    O4 - HKLM\..\Run: [Systmesy] Systmesy.exe
    O4 - HKLM\..\Run: [SystemResources2] SystemFix2534.exe
    O4 - HKLM\..\Run: [WindowsReg% update] hblphnqceqj.exe
    O4 - HKLM\..\Run: [Task manager] Taskx.exe
    O4 - HKLM\..\Run: [winprocessor Update] winprocessor.exe
    O4 - HKLM\..\Run: [internatx] internatx.exe
    O4 - HKLM\..\Run: [WinXp Updater] winxp32.exe
    O4 - HKLM\..\RunServices: [Systmesy] Systmesy.exe
    O4 - HKLM\..\RunServices: [SystemResources2] SystemFix2534.exe
    O4 - HKLM\..\RunServices: [WindowsReg% update] hblphnqceqj.exe
    O4 - HKLM\..\RunServices: [Task manager] Taskx.exe
    O4 - HKLM\..\RunServices: [winprocessor Update] winprocessor.exe
    O4 - HKLM\..\RunServices: [internatx] internatx.exe
    O4 - HKLM\..\RunServices: [WinXp Updater] winxp32.exe
    O4 - HKLM\..\RunServices: [Updater System] systemrey.exe
    O4 - HKCU\..\Run: [SystemResources2] SystemFix2534.exe
    O4 - HKCU\..\Run: [Systmesy] Systmesy.exe
    O4 - HKCU\..\Run: [WindowsReg% update] hblphnqceqj.exe
    O4 - HKCU\..\Run: [Task manager] Taskx.exe
    O4 - HKCU\..\Run: [winprocessor Update] winprocessor.exe
    O4 - HKCU\..\Run: [WinXp Updater] winxp32.exe
    O4 - HKCU\..\Run: [Configuration Loader] systimn.exe
    O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

    You should consider removing (maybe uninstall works too) PartyPoker too.
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll

    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
    O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_awda/client/download/TNPLDownloader.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Owner\Desktop\Downloads\Spyware Tools\CWShredder\cwshredder.exe (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    c:\windows\system32\Systmesy.exe
    c:\windows\system32\SystemFix2534.exe
    c:\windows\system32\hblphnqceqj.exe
    c:\windows\system32\Taskx.exe
    c:\windows\system32\winprocessor.exe
    c:\windows\system32\internatx.exe
    c:\windows\system32\winxp32.exe
    c:\windows\system32\systemrey.exe
    c:\windows\system32\systimn.exe
    C:\Program Files\AccuWeatherDesktopAlerts <--- the whole folder
    C:\Program Files\AWS <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
  5. jreid

    jreid Private E-2

    Hi Chaslang,

    Everything seems to be running smoothly now. Thank you!!!!


    I completed the clean up last night and so far I have not run into any redirections on my IE and no WinFix pop ups. I attached the most recent HJT log for your review.

    I now want to work on setting up my system for better protection. But I have a question. I am using Norton Internet Security suite and I have liveupdates once a week. I have to renew by the end of the month but I'm wondering now if this is the best service to use. I have been looking at some of the freeware antivirus and firewall programs listed on the site. Would I be better off using one of them? I'm thinking about testing one of them for the next couple of weeks and making a decision on whether to renew norton or go with the other.

    The site indicates that Norton is a system Hog and I can attest to that my start up is annoyingly slow and I believe it is because of Norton loading up.

    Any thoughts would be appreciated.

    Thanks again!.

    jreid
     

    Attached Files:

  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you miss this one line:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

    It is a remnant from running HSremove which you did not need to run!

    Yes Symantec is a hog as is McAfee. If you like Symantec and like getting the Liveupdates and you can deal with it hog a load of your CPU, stick with it. If you want to experiment, you will have to uninstall Symantec because leaving it in place while trying to use other tools would cause a double slow down and also possible software conflicts.

    Your log is clean. To help keep it that way, follow the steps in the below (this will answer some of your questions too):

    How to Protect yourself from malware!
     
  7. jreid

    jreid Private E-2

    Hi Chaslang,

    I saw that in the new log as well. I know I checked it. I double checked everything before I ran the fix. Oh well. If it won't cause a problem I'll just leave it.

    I have done everything on the How to protect yourself page. Just deciding what to do with Symantec keep it or dump it.

    Anyway that's my issue.

    Thanks for everything!

    jreid
     
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You can try fixing the HSremove line again and see what happens. It will not hurt anything but it should go away unless something is blocking changes to your start page (like MS Antispyware or similar). If you try to change it and you get a message about a change to your start page, you must allow the change.

    You're welcome.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds