TechSpot

Annoying malware keeps coming back

By Shigawire
Mar 5, 2007
  1. I have some files that re-emerge on my HDD every time I reboot.

    Checked them at virusscan.jotti.org

    c:\exen.exe 57kb
    AntiVir Found HEUR/Crypted (very little info)

    c:\msnpv32.exe 4kb
    AntiVir Found TR/Dldr.Small.DDT.2
    BitDefender Found Trojan.Downloader.Harnig.XB
    Norman Virus Control Found Suspicious_F.gen
    VirusBuster Found Packed/FSG

    plus some randomly named exe-files with 0kb data that can't be read apparently.

    AVG Anti-Spyware tells me:
    Trojan.ProcKill.DJ (high risk) -quarantine
    Downloader.Small.ehs (high risk) -quarantine
    TrackingCookie.Tribalfusion (medium risk) -delete
    TrackingCookie.Webtrendslive (medium risk) -delete
    TrackingCookie.Doubleclick (medium risk) -delete


    AVG Anti-Virus (Free Edition) tells me:
    Partition Table (MBR) - change
    c:\windows\system32\kernel32.dll - change
    c:\windows\system32\user32.dll - change
    c:\windows\system32\shell32.dll - change
    c:\windows\system32\ntoskrnl.exe - change
    c:\windows\system32\drivers\etc\hosts - change

    c:\documents and settings\Localservice\Local Settings\Temporary Internet Files\Content.IE5\0D2VWDI1\blcuuox[1].txt
    -Trojan Horse Downloader Generic 3 TKJ

    c:\documents and settings\Localservice\Local Settings\Temporary Internet Files\Content.IE5\652R2JG5\kmjnjriqhz[1].htm
    -Trojan horse Collected.Z

    c:\documents and settings\Localservice\Local Settings\Temporary Internet Files\Content.IE5\W3GL4HEB\blcuuox[1].txt
    -Trojan Horse Downloader Generic 3 TKJ

    c:\documents and settings\Localservice\Local Settings\Temporary Internet Files\Content.IE5\W3GL4HEB\llqum[1].htm
    -Trojan horse Collected.Z

    c:\documents and settings\Localservice\Local Settings\Temporary Internet Files\Content.IE5\W3GL4HEB\mvweuhreby[1].htm
    -Trojan horse Collected.Z


    Initially it made my computer unstable enough to produce BSOD - which I posted about in this previous thread:
    http://www.techspot.com/vb/topic71365.html

    The BSODs stopped after I repaired WinXP, probably because there were files that were corrupt in the TCPIP-stack. But I'm afraid it's only a temporary solution, as the tumor is still present, and may return.

    Any ideas?
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s time for instructions again, I`m afraid.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT and AVG Antispyware logs as attachments into this thread, only after doing the above.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. bockman

    bockman TS Rookie Posts: 20

    howard you need a macro for that stuff :)
     
  4. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    I have already performed all those things, in that order. That was a given. :cool:

    But that didn't help. They return when I get into normal mode. I wonder if it's got something to do with my network connection being unavailable in safemode. As soon as the network connection is up, the exe-files start appearing on my harddrive.

    I've attached the AVG Spyware log from safemode, as well as Hijackthis log from normal mode.
    Hijackthis does not show me anything that I can say looks suspicious.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It won`t help unless you post the log files. ;) Now that you have, I can see that the system is badly infected.

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    WinTrust32
    Microsoft Validation Service
    DirectX multi version

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    wintrust32.exe
    wmiprsv.exe
    dxcombin.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O21 - SSODL: Adobe Acrobat 5.0 - {284608D7-A95B-CF4B-64B2-7DB1DF62C13B} - c:\program files\adobe\acrobat 5.0\reader\wmlcedt32.dll

    O23 - Service: DirectX multi version - Unknown owner - C:\WINDOWS\system32\dxcombin.exe (file missing)

    O23 - Service: Microsoft Validation Service - Unknown owner - C:\WINDOWS\wmiprsv.exe

    O23 - Service: WinTrust32 - Unknown owner - C:\WINDOWS\system32\wintrust32.exe (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\wintrust32.exe
    C:\WINDOWS\wmiprsv.exe
    C:\WINDOWS\system32\dxcombin.exe

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    This is the filepath you need to enter into killbox.

    c:\program files\adobe\acrobat 5.0\reader\wmlcedt32.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log and let me know if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    Wow you are good Howard. Good and dedicated. Thanks.

    How the heck did you find out about that Adobe dll? You must be a living encyclopedia on malware or something. :)

    Now I suppose I must do some damage control. My Mozilla Firefox doesn't work properly, when I click a link it doesn't load it, I have to manually open a new tab/window and paste the link in there. Reinstalling Firefox now.

    Also, when I try to open Windows Update within "Internet Explorer", it forces the url into Firefox, and opens a blank IE window.

    HJT log:
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The adobe .dll file was being run as a 023 service, this in itself was suspicious as I`ve not seen it before.

    You still need to post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  8. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    Sorry, I have edited the post now.

    Also added my mentions of the oddities with IE and Firefox.

    Reinstalling Firefox didn't alleviate the problem of the links.
    Also, when I'm loading gmail.google.com , I can see in the bottom left that it's connecting to 127.0.0.1 (me), why is this happening? It takes unusually long time to load. I would think it's unnecessary to connect to myself when checking gmail.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean. However, I`d like you to do the following.

    We need to temporarily disable Spybot search & Destroy`s tea time, as it may interfere with any fix we are trying to run.

    Disable Spybot's TeaTimer. This is a two step process.
    First:
    - Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
    - Choose Exit Spybot S&D Resident
    Second:
    - Open Spybot S&D
    - Click Mode, check Advanced Mode
    - Go To Left Panel, Click Tools, then also in left panel, click Resident
    - If your firewall raises a question, say OK
    - Uncheck the box labeled Resident Tea-Timer and OK any prompts.
    - Use File, Exit to terminate Spybot
    - Reboot your machine for the changes to take effect.

    Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    Fix all R1 and R0 entries.

    Click on the fix checked button.

    Close HJT and reboot your system.

    Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
    * Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC. Reconnect to the net.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    Download the Autoruns programme from HERE. When the programme runs, click options and make sure the "Hide Microsoft Entries" is ticked. Click the file menu and select refresh. Click the save icon and save the Autoruns log to wherever you want.

    Attach the Autoruns log here.


    Let me know the results of the rootkit scans and if you`re still having problems.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    Nothing from the anti-rootkits.

    Autoruns log
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your Autoruns log looks clean.

    As far as I can tell, your system is completely clean.

    Open IE and click tools/internet options. In the window that appears click the Delete files button and tick the box that says to delete all offline content. Click ok/ok. Click the programmes tab and tick the box that says "Internet explorer should check to see whether it is the default browser" Click apply/ok and close IE.

    Now try running Windows updates and see what happens.

    I don`t know why your having problems with firefox, I`m afraid that`s a mystery to me.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    Ok thanks for all the help buddy.

    Actually this problem with Firefox ONLY happens in gmail as far as I can see.
    When I click links in gmail, it refuses to open. I must rightclick and "open in new tab" or "open in new window". Then it works. Will try the IE stuff.

    One thing:

    Every time I run AVG Anti-Virus, it keeps stating the following files have "changed", whatever that means:

    Partition Table (Master Boot Record)
    kernel32.dll
    user32.dll
    shell32.dll
    ntoskrnl.exe
    system32\drivers\etc\hosts

    Also, it found 1 (just 1):
    c:\documents and settings\Localservice\Local Settings\Temporary Internet Files\Content.IE5\85EXUTG3\blcuuox[1].txt
    -Trojan Horse Downloader Generic 3 TKJ

    AVG Anti-Spyware found these:
    TrackingCookie.StatCounter (medium)
    TrackingCookie.Tacoda (medium)
    TrackingCookie.Burstnet (medium)


    What do you think about this? Doesn't seem like my PC is 100% clean yet.

    Here's my HJT log:
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean as a whistle.

    It`s quite normal for AVG antivirus to give you that message. See HERE for further info.

    AVG Antispyware is just finding tracking cookies. These are nothing to worry about and can be got rid of by running the Ccleaner programme.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    Thanks buddy.
     
  15. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    Sometimes I experience that Kerio firewall gives me a message:

    "Cannot connect to service" with red "ok" box. Sometimes I lose internet connection after this. Not because of my actual internet connection, but because something on the computer. Because then I can't even connect to my wireless gateway. Maybe I shouldn't have Kerio firewall when I already have a hardware wireless firewall? They could conflict?

    What you think ?
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I can`t really comment on Kerio, as I`ve never tried it myself. I`ve always used Zonealarm.

    Apparently, the Comodo firewall is the dogs business. I did try it myself once, but didn`t like it. I think that was more to do with the fact I`ve used Zonealarm for such a long time, rather than any fault with Comodo.

    I don`t think your hardware firewall should have any problems with a software firewall.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Shigawire

    Shigawire TS Rookie Topic Starter Posts: 58

    I am observing that a number of connections are being blocked on my HW Firewall WLAN Router (Dlink Gamerlounge).

    Here's a little part of the log:

    [INFO] Wed Mar 14 21:52:17 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.15 to 81.191.46.65
    [INFO] Wed Mar 14 21:51:17 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.63 to 81.191.46.65
    [INFO] Wed Mar 14 21:51:01 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.56 to 81.191.46.65
    [INFO] Wed Mar 14 21:50:17 2007 Blocked incoming UDP packet from 155.239.175.222:1029 to 81.191.46.65:137
    [INFO] Wed Mar 14 21:50:17 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.32 to 81.191.46.65
    [INFO] Wed Mar 14 21:50:01 2007 Blocked incoming TCP packet from 207.210.14.85:63903 to 81.191.46.65:2988 as RST:ACK received but there is no active connection
    [INFO] Wed Mar 14 21:50:01 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.54 to 81.191.46.65

    A few minutes earlier theres also some outgoing being blocked:

    [INFO] Wed Mar 14 21:42:23 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 83.30.88.252
    [INFO] Wed Mar 14 21:42:17 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 86.148.202.142
    [INFO] Wed Mar 14 21:42:13 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.36 to 81.191.46.65
    [INFO] Wed Mar 14 21:42:12 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 212.187.116.231
    [INFO] Wed Mar 14 21:42:07 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 72.72.134.72
    [INFO] Wed Mar 14 21:41:58 2007 Blocked incoming ICMP packet (ICMP type 8) from 66.203.120.64 to 81.191.46.65
    [INFO] Wed Mar 14 21:41:56 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 83.243.106.1
    [INFO] Wed Mar 14 21:41:54 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 69.159.107.85
    [INFO] Wed Mar 14 21:41:54 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 65.15.20.149
    [INFO] Wed Mar 14 21:41:51 2007 Blocked outgoing ICMP packet (ICMP type 3) from 192.168.0.184 to 88.23.22.193


    It may have been related to my using mutorrent at the time, I have no idea.. but I don't think so, because it happens even after I have turned it off. Again nothing new on the HJT log. In any case, the internet connection is a bit sketchy at times.
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I don`t think that`s a problem.

    That`s what your hardware firewall is supposed to do.

    Having said that, please post a fresh HJT log and I`ll give it a quick look.

    Regards Howard :)

    This thread is for the use of Shigawire only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...