TechSpot

Trojan horse downloader.generic2.mux

By rf6647
Mar 2, 2007
Topic Status:
Not open for further replies.
  1. This computer sees this virus (generic2.mux) about once a week. I followed the 11 steps of the Virus/Spyware/Malware Preliminary Removal Instructions the best I could. Presently, I feel that this computer is squeeky clean.

    I will appreciate if you can confirm my feelings about this.

    Background:
    AVG7.5 repeatedly cited & cleaned !update.exe as the infected file. In all the cleaning, I did not see anything resembling this. Spybot S&D removed 4 threats. RegistrySmart removed 2 threats. AVG Anti-spyware removed 3 threats.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Download the Pocket Killbox programme from HERE. Extract it but don`t run it yet.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R3 - URLSearchHook: (no name) - {43328640-3EA2-5635-A4DF-6143B566F695} - (no file)

    O2 - BHO: (no name) - {175C197A-AB90-CD50-C3DD-F18AD9A7FAC1} - (no file)

    O2 - BHO: (no name) - {43328640-3EA2-5635-A4DF-6143B566F695} - (no file)

    O2 - BHO: (no name) - {445C492D-FC90-C456-98DD-F18AD9A7FAC0} - (no file)

    O2 - BHO: (no name) - {445D4A20-FA90-C750-98DD-F18AD9A0AB9E} - (no file)

    O2 - BHO: (no name) - {76C6D6CC-6D73-06E0-73E3-678349DA969E} - (no file)

    O2 - BHO: (no name) - {AAB54AA3-A44D-C8D8-4B84-F45A643C12CE} - (no file)

    O2 - BHO: (no name) - {AE281C68-F882-CE1A-879A-A50FA19748C3} - (no file)

    O2 - BHO: (no name) - {AEE64BA6-A718-C0DC-4D84-F45A643B16CE} - (no file)

    O2 - BHO: (no name) - {B5AE5214-BCFE-8233-A0DD-E4CB2D9F5191} - (no file)

    O2 - BHO: (no name) - {BCF2521E-BDF7-D660-F1DD-E4CB2D9F5AC0} - (no file)

    O2 - BHO: (no name) - {C8100235-BB86-DB41-D42F-BB3EC2202797} - (no file)

    O2 - BHO: (no name) - {C84C90F9-7742-4088-4580-74E29F737491} - (no file)

    O2 - BHO: (no name) - {CC095F47-EBF0-D739-A388-E13B82052596} - (no file)

    O2 - BHO: (no name) - {CE5A0C1B-E9F6-D73C-A388-E13B820220CC} - (no file)

    O2 - BHO: (no name) - {CF095D48-E7F0-836D-AD88-E13B82057691} - (no file)

    O2 - BHO: (no name) - {CF0E0B4B-EDA7-D76F-A788-E13B820575C6} - (no file)

    O2 - BHO: (no name) - {D4A9E9F4-5218-3EDC-4775-5EF07ECA3D95} - (no file)

    O2 - BHO: (no name) - {FCE21EA1-F61B-C08F-1884-F45A643B11C1} - (no file)

    O2 - BHO: (no name) - {FEB31BA1-A21A-9A8F-1C84-F45A643B1AC3} - (no file)

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab

    O20 - AppInit_DLLs: c:\windows\system32\wuauclt.dll wucrtupd.dll c:\windows\system32\wucrtupd.dll c:\windows\system32\lsass.dll arpa.dll

    Click on the fix checked button.

    Close HJT.

    Run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. If your computer doesn`t automatically restart, restart it manually.

    These are the filepaths you need to enter into killbox.

    c:\windows\system32\wucrtupd.dll
    c:\windows\system32\lsass.dll
    c:\windows\system32\arpa.dll

    Once your system has rebooted, rehide your protected OS files.

    Post a fresh HJT log and let me know how your system is running.

    Regards Howard :)

    This thread is for the use of rf6647 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    cleaner now

    Thank you for the additional help. Log is attached.
    This is a friend's computer. Chronic virus was the first complaint. Next complaint is the long boot time, with long duration dark screen before the 'welcome' display (a candidate new thread).
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is now clean.

    Delete all files in AVG Antispyware quarantine.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

    Run the programme and click the click "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path"
    * Select the Rootkit Driver by placing a checkmark against it and click "Remove selected items." Next, agree for the terms and conditions that is displayed by AVG and click "OK" to reboot the PC. Reconnect to the net.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    Let me know the results of the above scans and how the system is running.

    Regards Howard :)

    This thread is for the use of rf6647 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    Rootkits - Not Found

    Neither program detected any rootkit attacks.
    The computer still suffers about a 20-second black screen before the display of the screen "Windows is Starting". Owner feels that this is about normal. However IE7 is the actual complaint about slowness.

    Recent actions:
    Defrag C: - no change
    Followed instructions in last reply - no change
    Increased RAM to 512mb - no change

    Other findings:
    Windows Explorer of C:\windows\ displays duplicate names for system32 and for winsxs folders (not designated a copy).

    CMD window is used to enter 'dir c:\windows' . The extra copies of the 2 folders have the '?' character imbedded.

    Computer Management tool and Spybot S&D complained of missing 'framedyn.dll'. Copying file from another computer led to discovering the duplicate folders in system32.

    Contemplated action:
    Use RESTORE CD from manufacturer on a bare drive. Observe changes. Gateway manufactured 12/01. I believe that this load predates XP SP1. I believe there is no way to get to SP2 in this case. This may prove nothing.

    Is the real answer that IE7 is not suited for this machine? Is there a magic way to revert to IE6?

    Forgive my rambling. I will appreciate any direction you care to give.
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Uninstall IE7 from add remove programmes. this should roll back to the previous version of IE.

    Also, download Firefox and see if you have the same problem.

    Regards Howard :)
     
  7. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    IE6 restored, it's an improvement

    I did not have sufficient experience with IE7 to tune the Google toolbar. So IE6 seems better.
    A bigger improvement with the restart time was achieved by copying the OS (XP-sp2) back to the hard drive. Boot up time is now 50 seconds; before it was 90 seconds.
    Chkdsk on this drive shows 12MB in bad sectors. Presently, I am trying to overcome this corruption that is partly due to hardware and partly the after effects of viruses. Lost files/folders in windows\system32\wbem is more than the 12MB due to hardware alone. I have opened a new thread for this @ topic71769.html .
     
  8. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    ComboFix saved the day! Woo! Woo!

    ComboFix has quarantined "Purity". How do I delete this booger for good?
    Logs are attached for your review and further directions.

    Background:
    AVG 7.5 antivirus detects new infection from Worm.vb.aug.
    Re-run HouseCall - detects 2 threats. Coupons & Funweb Products.
    Followed the 13-step Removal Procedure.

    Comments: After removing all tools from the first clean up, the final steps were to run the installed anti-virus and anti-spy programs. It was a shock!

    How about another wrinkle. Adware Alerter is an installed prograam which I do not like. This ran when I selected it, instead of the AdAware (Lavasoft). I took no action against its 1 threat that sounds familiar to a threat "cleaned" by HouseCall. It complained about bho, toolbar for coupons.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean.

    Delete all folders/files in Combofix quarantine.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of rf6647 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  10. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    another bug is biting me

    Two suspicious findings may be related (or not). Event View > security log ! shows many ports have been given exceptions to the firewall. Norton's NPROTECT directory contains system/hidden files going back 2 years and apparently not touched by the "empty protected" command. As recently as yesterday, files were added to NPROTECT. Using these files as a sample, a log file appeared to reverse a Windows security update by recovering files from the $ntuninstall$ folder.

    Some other observations. Combofix did not give me a prompt to start the fix, so I chose not to use the fix button. Combofix confirms the secret/hidden folder & files in NPROTECT as reported by AVG antiroot kit. AVG antispyware was ruthless, since it kept complaining about an infection in smitfraud.exe (Tool 1). AVG antispyware found "trojan.agent.rw".

    Combofix detected a hidden process. Will HJT identify the offending program?
    Rapport.txt (smitfraud.exe) results are confusing. I choose to ignore the results.

    Your analysis will be appreciated.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    regscan.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - (no file)

    O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\system32\regscan.exe

    O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab

    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?

    O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp.coupons.com/r3302/Coupons.cab

    O16 - DPF: {A526A2C7-723E-4081-BF70-A7A9913E8C4A} (LogData Class) - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\regscan.exe
    C:\WINDOWS\cpbrkpie.ocx

    Reboot into normal mode and rehide your protected OS files.

    Go HERE and follow the instructions on how to empty the Norton protected recycle bin.

    Then, go HERE and follow the instructions in step9 for running the Ccleaner programme.

    Finally, post a fresh HJT log after doing the above.

    Regards Howard :)

    This thread is for the use of rf6647 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
     
  12. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    I confess that I experimented with 'msconfig' to observe its effect on HJT. I could not tune out the appearance of 'wuauclt.exe' in the copy being posted for review.

    Norton/Symantech granted access to Live Update for purposes of obtaining security fixes. It made working with NPROTECT more logical. However, 9 files are listed as output from 'dir'. Using the 'del' command declares that these files do not exist. Go figure. The 9 files appear to be fragments from spreadsheets that were deleted in that timeframe. I will live with this.

    Regards,
    Richard
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Your HJT log is clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of rf6647 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. rf6647

    rf6647 TS Maniac Topic Starter Posts: 931

    Invisible Icon on the system tray

    The results so far are not indicating a nasty invasion, but only an expert review will truly set things right.

    The most notable symptom was an invisible icon on the system tray. An empty text balloon appeared over this space. Clicking on the balloon caused it to disappear, and the gap closed on the system tray.

    Execution for the ‘chkdsk /f’ on the C: drive appears much slower than what I consider normal. Stage 2 progress reports seem to be significantly delayed.

    The Window Explorer window expands to full window when the vertical slider is touched with the mouse pointer.

    Previous to this, a System Restore was used to fix a “corrupted Windows”. Then SFC /scannow remedied another problem – 2 other icons that were missing from the system tray, now appear.

    AVG AntiSpyware did not create a log to report a trace for an adware agent appearing in a restore point . Panda Antirootkit found no infections.

    Your analysis is appreciated.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.