Trojan Horse Downloader Removal

[tino]

Hey All,

I am having some major issues getting rid of trojans a friend kindly gave me. I got it through clicking on a link i was msg'd. AVG can find and remove it but at reboot it always returns. See below for listing of the Trojan AVG finds. Can anyone help in getting rid of this for good?

Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 18:27:26 !update.exe
Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 17:08:44 !update.exe
Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 18:49:08 !update.exe
Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 07:49:27 !update.exe
Trojan horse Downloader.Agent.KEB G:\Documents and Settings\Franco Sorrentino\Desktop\wri.exe 17/04/2007 18:41:25 wri.exe
Trojan horse Downloader.Generic3.KML G:\WINDOWS\ICROSO~1.NET\rundll32.exe 17/04/2007 00:08:25 rundll32.exe

Many thanks in Advance

Tino

 

[raybay]

Have you tried running the AVG root kit, and the other two AVG programs while in SAFE MODE?

 

[Cyberbabe]

Hi tino

I got infected with zlob downloader and i used Trend Micro House Call (free scanner/remover), worked for me, but do make a backup before you remove anything.

Link > Trend Micro House Call

 

[momok]

Hi,

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
Do follow all the instructions exactly.

Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
The logs will enable us to understand more about the problems on your system.


Regards,
Your friendly Momok =)

 

[howard_hopkinso]

Hello and welcome to Techspot.

You`d do well to follow momok`s advice and follow all the instructions in the links he gave you. Then, post all the requested logfiles.

Regards Howard :wave: :wave:

This thread is for the use of tino only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[tino]

All,

Thanks for all the info. I will have to carry out all of Momok's instructions tomorrow as i don';t have time to do it tonight (Work early tomoz ). But i will make sure that i have everything installed etc that i need so i can get cracking with it tomorrow. FYI: I did put my PC into SAFE Mode and AVG founf more than the original Trojans i posted. These were removed and PC Restarted, Once back into windows The trojans were still there.

Will post tomorrow with results.

Tino

 

[tino]

Momok,

Cheers for the help. I have carried out all tasks up to using the 4 tools in step 10. THe tests didnt find infected files where it said it would so not sure what this means. I have attached the requested logs. One thing that did happen was that when i was in safe mode running the first tool. At the end of the test the PC crashed and i had to physically reset my PC. Should i run the 4 tests again?

Cheers

Tino

 

[momok]

Hi,

Your system is badly infected with a trojan , a worm and some adware and spyware.

Do continue with the steps to obtain an AVG Antispyware log and a ComboFix log too.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Go to start > control panel > Add & Remove programs.
Remove anything related to Adtomi.

Go to start > run and type services.msc. Press the enter key.
Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

updater.exe
nfomon.exe
vidmon.exe
whagent.exe
ipwins.exe
??plorer.exe
update.exe
command.exe

Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

??plorer.exe
lsass.exe
uoscg.dll
updater.exe
nfomon.exe
vidmon.exe
whagent.exe
ipwins.exe
update.exe
command.exe

After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
F3 - REG:win.ini: load=G:\WINDOWS\system32\tfxabfbxvb\lsass.exe
F3 - REG:win.ini: run=G:\WINDOWS\system32\tfxabfbxvb\lsass.exe
O2 - BHO: (no name) - {15E7A636-3281-4B26-AB4D-1AE33692FBEC} - G:\WINDOWS\system32\uoscg.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [runner1] G:\WINDOWS\updater.exe 61A847B5BBF72811308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [Nfo] G:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] G:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [webHancer Agent] G:\Program Files\webHancer\Programs\whagent.exe
O4 - HKCU\..\Run: [IpWins] G:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [Cakt] "G:\Documents and Settings\Franco Sorrentino\My Documents\W?nSxS\??plorer.exe"
O4 - HKCU\..\Policies\Explorer\Run: [{E0E0DFBC-0A4F-2057-0506-03041003002c}] "G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\Update.exe" te-110-12-0000282
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{E0E0DFBC-0A4F-2057-0506-03041003002c}] "G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\Update.exe" te-110-12-0000282 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{E0E0DFBC-0A4F-2057-0506-03041003002c}] "G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\Update.exe" te-110-12-0000282 (User 'Default user')
O4 - Startup: lsass.lnk = ?
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\RnJhbmNvIFNvcnJlbnRpbm8\command.exe (file missing)


Close HJT.

Navigate in Windows Explorer and delete the following files and folders in bold.

G:\WINDOWS\system32\tfxabfbxvb\
G:\WINDOWS\system32\uoscg.dll
G:\WINDOWS\updater.exe
G:\Documents and Settings\Franco Sorrentino\My Documents\W?nSxS\
G:\WINDOWS\system32\nfomon\
G:\WINDOWS\system32\vidmon\
G:\Program Files\webHancer\Programs\whagent.exe
G:\Program Files\Ipwindows\
G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\
G:\WINDOWS\RnJhbmNvIFNvcnJlbnRpbm8\

Reboot into normal mode and rehide your protected OS files.

Thereafter, please don't forget to post a fresh HJT, ComboFix and AVG Antispyware log from normal mode as an attachment into this thread.


Regards,
Your friendly Momok =)

 

[tino]

Momok,

Seems to be one hurdle after another. I cant access Add/Remove Programs from Normal or Safe mode. I completely crashes my PC. I have uploaded a ComboFix and AVG AntiSpyware log FYI. I also checked the services you mentioned and the only one that was there was Command which i couldnt disable in SAFE mode but i have done in Normal mode. Finally upon checking processes in TM the only one that was there was lsass.exe which couldnt be ended in normal mode.

This instlal of windows is about 2 months old and whilst its a hassle to do so i am thinking of just wiping it and starting again? It seems that you're more than right when you say its badly infected!!

Cheers,

Tino

 

[momok]

Hi,

Please post the requested logs from normal mode. (HijackThis, AVG and ComboFix)
If you are considering reformatting the system, you may wish to read this thread HERE.

Download CCleaner from HERE.
It has an program uninstaller under the 'Tools' section. Try and see if you can find adtomi there and uninstall it.


Regards,
Your friendly Momok =)

 

[tino]

Momok,

I have carried out further scans and attached the results.

Cheers,

Tino

 

[momok]

Hi,

Please boot into safe mode like before and run HijackThis.
Place a tick beside this entry:
O2 - BHO: (no name) - {15E7A636-3281-4B26-AB4D-1AE33692FBEC} - G:\WINDOWS\system32\uoscg.dll (file missing)
Click on the 'Fix Checked' button.

Boot back into normal mode.
You can delete all files from the quarantined folder for the AVG Antispyware.
Apart from that, your logs look clean. However, I can only be full sure when you have also posted your ComboFix log from normal mode. (I have asked you previously but you still have not done so)

Also let me know if you experience any problems on your system now.


Regards,
Your friendly Momok =)

 

[tino]

Momok,

I have removed entry O2 - BHO: (no name) - {15E7A636-3281-4B26-AB4D-1AE33692FBEC}, scanned and attached logs. (The AVG log is at the foot of the Combo Fix Log).

Cheers,

Tino

 

[momok]

Hi,

You may wish to copy and paste these instructions on notepad for easier reference later.

Download the Pocket Killbox from HERE. Extract it but don`t run it yet.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Navigate in Windows Explorer and delete the following files and folders in bold, if found.
G:\WINDOWS\system32\appmgmt
G:\WINDOWS\system32\tfxabfbxvb
G:\WINDOWS\ICROSO~1.NET\
G:\DOCUME~1\FRANCO~1\MYDOCU~1\WNSXS~1

Run the killbox program which you downloaded. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. (You can copy and paste the filepaths)

G:\WINDOWS\system32\tmp.reg
G:\WINDOWS\system32\swxcacls.exe
G:\WINDOWS\system32\Process.exe
G:\WINDOWS\system32\dumphive.exe
G:\WINDOWS\system32\swsc.exe
G:\WINDOWS\system32\SrchSTS.exe
G:\WINDOWS\system32\swreg.exe
G:\WINDOWS\system32\msonpmon.dll
G:\WINDOWS\system32\Ctaa1.dat
G:\WINDOWS\system32\cddvdint.dll

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post a fresh HJT and ComboFix log from normal mode as an attachment into this thread.


Regards,
Your friendly Momok =)

 

[tino]

Momok,

Completed as reqested and attached files.

Cheers!!

Tino

 

[momok]

Hi,

Your logs look clean now.

Turn off system restore (XP/ME only). Learn how to do that HERE.

This will remove all the remaining nasties from your old restore points.
After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly Momok =)

 

[tino]

Momok,

When carrying out an Ad-aware scan there are a few entries remaining. I have attached an AVG, HJT and adaware log. Also it if i try to access Add/Remove Progs, the window opens but as it is generating the list of installed s/w it freezes my PC. Could this be related to the infections i had?

Thanks,


Tino

 

[momok]

Hi,

Your logs are definitely clean.

Those entries can be ignored. They are negligible, and the 3 cookies detected are the same as the AVG detections. The cookies are from techspot, and they are perfectly safe, so no worries.

With regards to your Add/Remove programs problem, does it freeze when you run it in safe mode? Does the list show eventually or do you have to reboot the system? I suspect this is not malware related.

Regards,
Your friendly Momok =)