TechSpot

Trojan / HiJacking... i.e. ads and spaces in .exe filenames

By stylzz
Jan 9, 2010
  1. Hi this is my first time posting. I would like to commend you on your efforts at preventing and curing malware and trojan infecting normal peoples machines. I will appreciate any assistance/recommendations that you could give me in my matter.

    Soon after the first, I noticed that a few of my desktop shortcuts were missing icons. As I investigated I noticed that many of my programs were renamed with a space separating the filename from the file extension. For example, yahoomessenger.exe was renamed to yahoomessenger .exe. The original file's name still remained on my pc, but it was 40KB in size. This happened for many of my desktop's application. After a few google searches, I found a program called SDFix. After downloading this and running it from my OS in safe mode, it seemed to have "Fixed" my problem. However, there are still a few applications that SDFix did not remedy. I am now getting various IE browsers opening up to ad sites.

    I am running Windows XP SP3. I have Symantec EndPoint Protection 11.0.4. I have completed the 8 step process but it did not resolve my problem with the renaming of the files. Also, deleting the 40Kb impostor and renaming the original file back to its original name does not fix this either. It would either change again in time, or after a reboot. I am attaching the requested files for your review.

    Thanks a million...

    Will E. Stylzz
     

    Attached Files:

  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Where is your Hijackthis log?
     
  3. stylzz

    stylzz TS Rookie Topic Starter

    The only ones I found for Hijack was the fixes and checks files that I attached. It was in DocSet/all u/applic/spybot/logs directory... Is there another produced in some other location?
     
  4. stylzz

    stylzz TS Rookie Topic Starter

    I have a resident log... Not sure if this is what is needed or not...
     

    Attached Files:

  5. stylzz

    stylzz TS Rookie Topic Starter

    I may be using the wrong version of HJT... I will uninstall this version 1.6 and install 2.02 ... sorry for the confusion.
     
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    I don't know what OS you are using but in XP, click on the Hijackthis icon, system scan only, save file. Note where this file is saved. Attach it here. In Vista or Windows 7 right-click, run as administrator, system scan only, save file. Note where the file is saved and attach it here
     
  7. stylzz

    stylzz TS Rookie Topic Starter

    Ok... sorry about that, here is the HJT log...
     

    Attached Files:

  8. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Okay good work...

    You have some "suspicious" things in your Hijackthis log

    Run this Scanner

    Directions:
    Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
    c:\windows\system32\userinit.exe

    Click on the Upload button
    If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    Paste the contents of the Clipboard in your next reply

    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe



    Leave the log from that scan in your next reply...
     
  9. stylzz

    stylzz TS Rookie Topic Starter

    Scan results are as follows:


    File Name : userinit.exe
    File Size : 26112 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : a93aee1928a9d7ce3e16d24ec7380f89
    SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853

    Scanner results : Scanners did not find malware!




    File Name : explorer.exe
    File Size : 1033728 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 12896823fb95bfb3dc9b46bcaedc9923
    SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f

    Scanner results : Scanners did not find malware!



    File Name : svchost.exe
    File Size : 14336 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
    SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667

    Scanner results : Scanners did not find malware!
     
  10. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  11. stylzz

    stylzz TS Rookie Topic Starter

    I used virus scan on one of the 40Kb files that I was referring to in the initial post that keeps reappearing. The results are not pretty:

    VirSCAN.org Scanned Report :
    Scanned time : 2010/01/09 22:36:24 (CET)
    Scanner results: 70% Scanner(s) (26/37) found malware!
    File Name : bjmyprt.exe
    File Size : 40960 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 721212e9dfca7efda22cceeda36628ef
    SHA1 : ac0f3f19e0ed5efdb84e30ddabea586265efff12
    Online report : http://virscan.org/report/3e961eef74b1dadc4d7a41da0159c22a.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100109234514 2010-01-09 4.59 Trojan.Win32.Cosmu!IK
    AhnLab V3 2010.01.09.02 2010.01.09 2010-01-09 1.43 -
    AntiVir 8.2.1.134 7.10.2.151 2010-01-08 0.20 TR/Cosmu.joh
    Antiy 2.0.18 20100108.3621411 2010-01-08 0.12 Trojan/Win32.Cosmu.joh
    Arcavir 2009 201001081341 2010-01-08 0.05 Trojan.Cosmu.Joh
    Authentium 5.1.1 201001091522 2010-01-09 1.31 -
    AVAST! 4.7.4 100109-0 2010-01-09 0.01 Win32:Trojan-gen
    AVG 8.5.288 270.14.132/2610 2010-01-10 0.31 Generic16.WTC
    BitDefender 7.81008.4847999 7.29802 2010-01-10 4.20 Trojan.Generic.2952460
    CA (VET) 35.1.0 7225 2010-01-07 8.67 -
    ClamAV 0.95.2 10275 2010-01-09 0.01 -
    Comodo 3.13.579 3409 2010-01-09 1.13 TrojWare.Win32.TrojanSpy.BZub.~IP
    CP Secure 1.3.0.5 2010.01.09 2010-01-09 0.06 Troj.W32.Cosmu.joh
    Dr.Web 4.44.0.9170 2010.01.09 2010-01-09 8.41 Trojan.Siggen.43038
    F-Prot 4.4.4.56 20100109 2010-01-09 1.52 -
    F-Secure 7.02.73807 2010.01.09.04 2010-01-09 0.12 Trojan.Win32.Cosmu.joh [AVP]
    Fortinet 11.354- 11.354 2010-01-09 0.25 W32/Cosmu.JOH!tr
    GData 19.9871/19.667 20100109 2010-01-09 6.04 Trojan.Win32.Cosmu.joh [Engine:A]
    ViRobot 20100108 2010.01.08 2010-01-08 0.46 -
    Ikarus T3.1.01.80 2010.01.09.74929 2010-01-09 4.29 Trojan.Win32.Cosmu
    JiangMin 13.0.900 2010.01.09 2010-01-09 15.37 Trojan/Cosmu.to
    Kaspersky 5.5.10 2010.01.09 2010-01-09 0.07 Trojan.Win32.Cosmu.joh
    KingSoft 2009.2.5.15 2010.1.9.22 2010-01-09 0.54 Win32.Troj.Generic.40960
    McAfee 5.3.00 5856 2010-01-09 4.02 Generic Downloader.x!cks
    Microsoft 1.5302 2010.01.09 2010-01-09 9.61 TrojanDownloader:Win32/Unruy.C
    Norman 6.01.09 6.01.00 2010-01-09 4.01 -
    Panda 9.05.01 2010.01.09 2010-01-09 10.59 -
    Trend Micro 9.120-1004 6.758.06 2010-01-09 0.02 TROJ_COSMU.BE
    Quick Heal 10.00 2010.01.09 2010-01-09 1.29 Trojan.Cosmu.joh
    Rising 20.0 22.29.05.04 2010-01-09 0.44 Trojan.Win32.Generic.51F5A81A
    Sophos 3.03.0 4.49 2010-01-10 2.94 Troj/Dloadr-CXZ
    Sunbelt 3.9.2389.2 5608 2010-01-08 4.41 Trojan-Downloader.Win32.Unruy.C (v)
    Symantec 1.3.0.24 20100102.020 2010-01-02 0.26 -
    nProtect 20100109.01 6831766 2010-01-09 6.00 -
    The Hacker 6.5.0.3 v00144 2010-01-09 1.09 Trojan/Cosmu.jog
    VBA32 3.12.12.1 20100108.2153 2010-01-08 2.34 Trojan.Win32.Cosmu.joh
    VirusBuster 4.5.11.10 10.118.26/2005119 2010-01-10 2.54 -
     
  12. stylzz

    stylzz TS Rookie Topic Starter

    Do I use the default for eset?
     
  13. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Yes use the default
     
  14. stylzz

    stylzz TS Rookie Topic Starter

    It looks like this is going to take a while... It is 1100PM here, I probably will not post results until tomorrow morning when I wake up...
     
  15. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Ok no problem, it's 3:06 pm here...
     
  16. stylzz

    stylzz TS Rookie Topic Starter

    It has been on 6% for the past 25 minutes... so far it detected Win32/Bagle.gen.zip worm. I will have to look that one up...
     
  17. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Well at least we are making some progress. Good luck
     
  18. stylzz

    stylzz TS Rookie Topic Starter

    Progress is always good ... even if it feels like you are going backwards :)

    After the ESet Scan is completed, I am assuming that I will allow it to repair, or it will repair the findings, correct?
     
  19. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Yes ESET will correct the findings, and it will also give us further clues on what to do next, if necessary
     
  20. stylzz

    stylzz TS Rookie Topic Starter

    almost 16 hours... and at 99%
     
  21. stylzz

    stylzz TS Rookie Topic Starter

    This is what ESET found. Quite a bit of nasty stuff. All of the "TrojanDownloader.Unruy.AY" were the 40Kb files that I mentioned in the first post. Unfortunately, Symantec only sees it as malicious depending on the name of the file that is found in the technical details tab on this link. Now that this has completed, should I reboot and see if they come back?
     

    Attached Files:

  22. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  23. stylzz

    stylzz TS Rookie Topic Starter

    TFC forced a reboot to permanently remove files, turned system restore back on. At boot, versioncuecs3.exe just sits on the screen. It has not done that before. Also, I lost my xp style task bar, I only have the classic to choose from in the appearance tab of display properties. Everything else seems to be running normally. I may disable the versioncue as I do not need it running. I used to have several versions on Adobe / Macromedia products installed. That is all that it would have been beneficial for.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...