Trojan Downloader - Almost Fixed?

[muppet]

'evenin' all!

Something keeps downloading (or otherwise generating) virus infected EXE files in my Contents.IE5 and Windows/Temp folders. AVG Free does find these and treats them accordingly, but I feel that it's treating a symptom while missing the cause. Cue a frantic bout of Googling which brought me here. Before I go any further, it should be noted that I make full use of my router's hardware firewall at the network perimeter, while my machine itself is protected by Tiny Personal Firewall and ProcessGuard. The latter two were disabled for all the following procedures, an unplugged network cable being the best line of defence along with a spare machine, in this case smugly running Linux.

Having followed the obligatory system cleaning instructions (Trojan Pakes and other nasties...) up to the point of submitting an HJT log and the system still not being clean, I decided to pay the good people at AVG some money, by way of a change, and purchased the AVG Anti Malware suite. I then went through the page again, saving all my log files a second time. The only thing that's different is that I'm using AVG Anti Malware, which is Anti Virus and Anti Adware rolled into one. (This didn't find anything incidentally)

Most of the other tools did report something however, so I fixed the findings and re-ran the tools until they all scanned clean. I'm still not using the system though, because the HJT log has one line in it that's making me suspicious: what's up with {FDD3B846-8D59-4ffb-8758-209B6AD74ACC}?

Many thanks for looking at this for me, it really is appreciated!

Mup.

 

[howard_hopkinso]

Download the Pocket Killbox programme from HERE. Extact it but don`t run it yet.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O4 - HKLM\..\Run: [PtLiveUpdate] C:\Program Files\Common Files\Pumatech Shared\LiveUpdate Client\PtLUWorker.exe

O20 - Winlogon Notify: winqhz32 - C:\WINDOWS\SYSTEM32\winqhz32.dll

Click on the fix checked button.

Close HJT.

Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted.

This is the filepath you need to Enter into killbox.

C:\WINDOWS\SYSTEM32\winqhz32.dll

Once your system has rebooted, turn system restore back on and rehide your protected OS files.

Post a fresh HJT log and let me know how your system is running.

Regards Howard

This thread is for the use of muppet only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[muppet]

Hi Howard,

Did as you instructed and it all seems to be still working ... which is nice!

The spurious virus infected files would rear up about once or twice an hour under normal PC use, and as I've spent a grand total of 3 minutes since applying the fix I can't tell if it really is fine, but so far so good. Having done some more Googling (with another machine) while waiting for the patient to reboot I understand the need to kill winqhz32.dll, but why ask HJT to fix Pumatech Shared\LiveUpdate Client\PtLUWorker.exe? Slightly puzzled by this, but the Palm still seems to sync OK so that's the main thing.

The attached HJT log shows a file missing for winqhz32.dll (as expected, but it's nice to have a confirmation) so should I run HJT again and remove that entry also?

Many thanks once again, owe ya one!

Mup.

 

[howard_hopkinso]

Have HJT fix this inactive entry.

O20 - Winlogon Notify: winqhz32 - winqhz32.dll (file missing)

Other than the above, your HJT log is now clean.

The reason I asked you to fix the Pumatech Shared\LiveUpdate Client\PtLUWorker.exe entry, is it`s not needed to run on startup. It can be run when required. However, it`s up to you.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of muppet only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[muppet]

Hi Howard,

Just wanted to say that I've been using the machine for a couple of days now and the problem really does seem to have gone away.

Thanks very much indeed for all your help!

Mup.