Okay, do anyone know these malware?

Status
Not open for further replies.

GN48

Posts: 142   +0
Hi, Can anyone tell me what a Trojan horse Constructor.DTO is? And also what a Rogue.Crusader is as well. How I found these, well the first, my AVG found and the following one, my Malwarebytes found. Any clues on what these do or what they are? I even scanned with this: http://www.virustotal.com/, they didn't pickup anything amazingly with their 10+ AV and other Scanners! Should I ignore these Malware types?
 

Attachments

  • mbam-log-2010-01-09 (23-53-49).txt
    1.4 KB · Views: 3
Those are Spyware. Most Trojans don't do any damage by themselves, they open portals to let the real nasty stuff come in and take hold

Have you seen the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

We like to begin there, and have you attach the 3 logs required. Take your time and follow the instructions carefully. If you flag this malware, you are probably already infected. Its only a matter of time, before things start going down hill
 
Those are Spyware. Most Trojans don't do any damage by themselves, they open portals to let the real nasty stuff come in and take hold

Have you seen the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions

We like to begin there, and have you attach the 3 logs required. Take your time and follow the instructions carefully. If you flag this malware, you are probably already infected. Its only a matter of time, before things start going down hill

If those are, this must be one as well: Torjan Horse Sher2/CELT!
How'd spyware got installed?

I will review the 8-step Viruses/Spyware/Malware Preliminary Removal Instructions.
 
8 step preliminary removal instructions for malware and such done

So, does this in any way relate to how my user account password was changed? Well when I first tried to login someone somehow changed my password so I couldn't login, but luckily I had a passwords resetter on my USB so I can reset my password! Haha! I'm always one step ahead of ya! So now I can login, strange no? hmmmmm..... I think someone's onto me.......

Anyways, I've done the 8 steps, and here are my results as follows:

AVG Full system scan: http://farm5.static.flickr.com/4001/4267438367_1a802c5d42_o.jpg - all I got was tracking cookies.

CIS My Computer Scan: http://farm3.static.flickr.com/2741/4268183740_3b10c7f97b_o.jpg - nothing.

CIS Critical Area Scan: http://farm3.static.flickr.com/2733/4267438483_2318d676d6_o.jpg - nothing again.

My logs are in the attachments, make sure you read them.

hmmm, how come Malwarebytes didn't manage to pick up those infected files with Rogue.Crusader?
 

Attachments

  • mbam-log-2010-01-12 (00-45-17).txt
    1,007 bytes · Views: 1
  • SUPERAntiSpyware Scan Log - 01-12-2010 - 01-36-16.log
    465 bytes · Views: 1
  • hijackthis.log
    10.7 KB · Views: 1
Please understand that the people who help you here are all volunteers. Most of us try to provide you with information you need to resolve your problem. That information will include directions about running a program if one is suggested.

You're changing your focus so let's try to get back on track. If you are willing to do that, I will help you. I'm hoping you'll get rid of the edge you seem to have.
My logs are in the attachments, make sure you read them.

hmmm, how come Malwarebytes didn't manage to pick up those infected files with Rogue.Crusader?
The malware on the first Mbam log was found. Here's the description of it:: http://remove-malware.net/how-to-remove-crusader-antivirus-rogue-anti-spyware/

When you ran Malwarebytes the first time, you did not do this:
Make sure that everything is checked, and click Remove Selected.

So all of the entries for the malware show No Action Taken or more simply put, the malware was found and was still on your system.
c:\program files\game folder\nodtronics pty ltd\50 Blockbuster Games (Volume 1)\Games\Crusaders Of Space\Cos.exe (Rogue.Crusader) -> No action taken.
I don't know where you downloaded Malwarebytes or why you decided to run only it, instead of following the steps we ask you to. Had you done that- even if you chose only to run Malwarebytes, you would have seen this line in the instructions: More simply put, you did not read the directions- so forget coming down on Malwarebytes!

As for this:
huh? so now you want to compare Avast with AVG now eh?
Get rid of that attitude, okay? You want help? Follow what we ask you to do, taking care tor read the directions carefully.

I'm ignoring all those other links you threw in.

Please print out the directions I give you so you can follow them as you go along.

You're behind in updates: This leaves your system more vulnerable: Platform: Windows Vista SP1.So somewhere along the line you should do this:
Visit the Microsoft Download Sitefrequently.
You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2

It also looks like the AVG is outdated. You should be running v9.

Please reopen the HijackThis log to 'do system scan only'.. Check each of the following if present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = currently used by Eih_TCSN (I cannot identify this entry- can you?)
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)> IOBit
R3 - URLSearchHook: (no name) - *{707db484-2428-402d-afb5-d85b387544c7} - (no file)> Mario
O1 - Hosts: ::1 localhost
O2 - BHO: Mario Forever Toolbar - {707db484-2428-402d-afb5-d85b387544c7} - (no file)

Are you aware or did you set a restriction in the Control Panel? IF you did or are aware of it, leave it. If you did not, check for removal:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all Windows except HijackThis and click on "Fix Checked."

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

    Important! Save the renamed download to your desktop.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      RcAuto1.gif

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      whatnext.png

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Plase leave the Combofix report, the Eset scan log and a new HijackThis log after a rescan in your next reply.
 
Please understand that the people who help you here are all volunteers. Most of us try to provide you with information you need to resolve your problem. That information will include directions about running a program if one is suggested.

You're changing your focus so let's try to get back on track. If you are willing to do that, I will help you. I'm hoping you'll get rid of the edge you seem to have.



The malware on the first Mbam log was found. Herte's the description of it:: http://remove-malware.net/how-to-remove-crusader-antivirus-rogue-anti-spyware/

When you ran Malwarebytes the first time, you did not do this:
Make sure that everything is checked, and click Remove Selected.

So all of the entries for the malware show No Action Taken or more simply put, the malware was found and was still on your system.

I don't know where you downloaded Malwarebytes or why you decided to run only it, instead of following the steps we ask you to. Had you done that- even if you chose only to run Malwarebytes, you would have seen this line in the instructions: More simply put, you did not read the directions- so forget coming down on Malwarebytes!

Alright, I take that back. The link: http://remove-malware.net/how-to-remove-crusader-antivirus-rogue-anti-spyware/ you gave, my "WOT" detected it and said it has a poor reputation. It also enter site at own risk, read what this link tries to say about that site: http://www.mywot.com/en/scorecard/remove-malware.net I don't know enough of that site you wanted me to go on, so I'm going to just ignore that link for now.

Where I downloaded Malwarebytes; from the 8 steps Preliminary instructions to remove them Malwares at techspot.com. That's where I got mine. Why I decided to run only that, just wanted to test how well it would perform.


As for this:

huh? so now you want to compare Avast with AVG now eh?

Get rid of that attitude, okay? You want help? Follow what we ask you to do, taking care tor read the directions carelfullly.

sorry.....I just wanted some attention around here....

I'm ignoring all those other links you threw in.

Those links are images the outcome of the scans.

Please print out the directions I give you so youi can follow them as you go along.

You're behind in updates: This leaves your system more vulnerable: Platform: Windows Vista SP1.So somewhere along the line you should do this:
Visit the Microsoft Download Sitefrequently.
You should get All updates marked Critical and the current SP updates:Windows 2000> SP4, Windows XP> SP2, SP3, Vista> SP2

Okay, for the windows updates, I can't update them automatically. Everytime I update windows automatically and it restarts eh? restarts then says something was wrong, then reverts to previuos stage, I've done this like 5 times, I am not willing to do that the 6th, those updates costed me about 1 - 2hrs just to keep an eye on that! It just doesn't work, if I knew how to update it manually I would do so, but seeing how I don't, I just ignored the updates....

It also looks like the AVG is outdated. You should be running v9.

I am running v9! AVG Anti-virus Free 9! it even says so in windows!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = currently used by Eih_TCSN (I cannot identify this entry- can you?)

Yeah, uh, I modified the window title so it would show you who it is that's currently using IE. I used Spyware Blaster to change that.

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)> IOBit
R3 - URLSearchHook: (no name) - *{707db484-2428-402d-afb5-d85b387544c7} - (no file)> Mario
O1 - Hosts: ::1 localhost
O2 - BHO: Mario Forever Toolbar - {707db484-2428-402d-afb5-d85b387544c7} - (no file)[/b]
Are you aware or did you set a restriction in the Control Panel? IF you did or are aware of it, leave it. If you did not, check for removal:
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Do these relate to the IE toolbars I disabled earlier which I hardly use? If yes then yes.

I will follow the rest.
 
Yeah, uh, I modified the window title so it would show you who it is that's currently using IE. I used Spyware Blaster to change that.

I'm familiar with rebranding Internet Explorer where the name of an ISP is removed or changed, but this is a new one to me!

If you no longer use the Toolbars, uninstall them. That goes for programs, utilities, et al that you no longer use. IF you can't find them in Add/Remove Programs, you can use the Windows Installer Cleanup[ Utility: http://majorgeeks.com/Windows_Installer_CleanUp_Utility_d4459.html
 
Okay.....

Close all Windows except HijackThis and click on "Fix Checked."

Please download ComboFix HERE:
  • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
  • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.

    Important! Save the renamed download to your desktop.
    • Double click on the setup file on the desktop to run
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console.
    • When prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
      (Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.)
    • Query- Recovery Console image
      RcAuto1.gif

    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      whatnext.png

    • Click on Yes, to continue scanning for malware.
    • When finished, it will produce a log.Please include the C:\ComboFix.txt in your next reply.
    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Plase leave the Combofix report, the Eset scan log and a new HijackThis log after a rescan in your next reply.


  • Uh, do I need to do all that? since I've explained abit more details. Because I I haven't started yet :D

    Oh and the reason why I didn't remove the files that were infected with the 'Rogue.Crusader' thing is because if I do that, then I would be missing part of the files needed to run the game. And also I didn't think it was that much of a threat.
 
Please go elsewhere to get help. I don't have time to answer you second guesses for every reply I make.

You got irritated because a file wasn't deleted. I told you why. Now you refuse to delete it. So enjoy your game and rogue.
 
huh?

Please go elsewhere to get help. I don't have time to answer you second guesses for every reply I make.

You got irritated because a file wasn't deleted. I told you why. Now you refuse to delete it. So enjoy your game and rogue.

I thought you guys here were nice talkative people :(

Either that or your just one of those people who are serious about things and don't like to talk to much.

I haven't refused to delete those files yet.
 
Wow

Bobbye,
Some people don't "get it" but I do... If you visit my thread I promise I will follow all instructions without attitude. I could use the help and understand you are all volunteers with better things to do. :)

Thanks
 
GN48, my volunteer job here is to help people like you clean up the malware on their computer systems. this forum is very busy- there are more infected systems than there are people to help clean them.

This is not a social chat forum. It takes time, patience and a lot of searching to clean up malware. I am a nice person. In the right venue, I 'talk.' I am serious about what I do here and that doesn't leave room to socialize.

Oh and the reason why I didn't remove the files that were infected with the 'Rogue.Crusader' thing is because if I do that, then I would be missing part of the files needed to run the game
I haven't refused to delete those files yet.

Yes, you did. It's not negotiable.

Why don't you ask Tmagic to come play with you!? I've done all the work already.
 
My bad Bobbeye, I'll try to get serious next time okay? I'm a nice person too. But sometimes I get carried away and start posting replies that you know adds abit more things to the thread if you know what I'm talking about :D

Oh and about this thread, I wanted to add another question to this: https://www.techspot.com/vb/topic141415.html
Seeing how you said:
You already have a malware thread going in this forum. Include questions in that. You have almost 20 threads now, beginning 5 days ago.

Oh and Bobbeye, if your willing to help me out here, I'll take all help you are willing to give me, alright, and I won't, I'll try not to get carried away this time. Give me a thumbs up and I'll start the rest of what you left me to do that I didn't do because I got carried away. :)

If not, then I'll just forget about this.
 
Status
Not open for further replies.
Back