TechSpot

Trojan Horse Downloader Removal

By tino
Apr 17, 2007
Topic Status:
Not open for further replies.
  1. Hey All,

    I am having some major issues getting rid of trojans a friend kindly gave me. I got it through clicking on a link i was msg'd. AVG can find and remove it but at reboot it always returns. See below for listing of the Trojan AVG finds. Can anyone help in getting rid of this for good?

    Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 18:27:26 !update.exe
    Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 17:08:44 !update.exe
    Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 18:49:08 !update.exe
    Trojan horse Downloader.Generic3.QFH G:\DOCUME~1\FRANCO~1\LOCALS~1\Temp\!update.exe 17/04/2007 07:49:27 !update.exe
    Trojan horse Downloader.Agent.KEB G:\Documents and Settings\Franco Sorrentino\Desktop\wri.exe 17/04/2007 18:41:25 wri.exe
    Trojan horse Downloader.Generic3.KML G:\WINDOWS\ICROSO~1.NET\rundll32.exe 17/04/2007 00:08:25 rundll32.exe

    Many thanks in Advance

    Tino
  2. raybay

    raybay TS Evangelist Posts: 10,716   +6

    Have you tried running the AVG root kit, and the other two AVG programs while in SAFE MODE?
  3. Cyberbabe

    Cyberbabe TS Rookie Posts: 40

    Hi tino :)

    I got infected with zlob downloader and i used Trend Micro House Call (free scanner/remover), worked for me, but do make a backup before you remove anything.

    Link > Trend Micro House Call
  4. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Important: Please read this thread HERE before you decide whether to clean or reformat your system.

    Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps to cleaning your computer.
    Do follow all the instructions exactly.

    Thereafter, please post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste if not it will be ignored and/or removed by the moderators.
    The logs will enable us to understand more about the problems on your system.


    Regards,
    Your friendly Momok =)
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    You`d do well to follow momok`s advice and follow all the instructions in the links he gave you. Then, post all the requested logfiles.

    Regards Howard :wave: :wave:

    This thread is for the use of tino only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. tino

    tino TS Rookie Topic Starter

    All,

    Thanks for all the info. I will have to carry out all of Momok's instructions tomorrow as i don';t have time to do it tonight (Work early tomoz ). But i will make sure that i have everything installed etc that i need so i can get cracking with it tomorrow. FYI: I did put my PC into SAFE Mode and AVG founf more than the original Trojans i posted. These were removed and PC Restarted, Once back into windows The trojans were still there.

    Will post tomorrow with results.

    Tino
  7. tino

    tino TS Rookie Topic Starter

    Momok,

    Cheers for the help. I have carried out all tasks up to using the 4 tools in step 10. THe tests didnt find infected files where it said it would so not sure what this means. I have attached the requested logs. One thing that did happen was that when i was in safe mode running the first tool. At the end of the test the PC crashed and i had to physically reset my PC. Should i run the 4 tests again?

    Cheers

    Tino
  8. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your system is badly infected with a trojan , a worm and some adware and spyware.

    Do continue with the steps to obtain an AVG Antispyware log and a ComboFix log too.

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Go to start > control panel > Add & Remove programs.
    Remove anything related to Adtomi.

    Go to start > run and type services.msc. Press the enter key.
    Search for the following services(if there) double click to select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    updater.exe
    nfomon.exe
    vidmon.exe
    whagent.exe
    ipwins.exe
    ??plorer.exe
    update.exe
    command.exe


    Open your task manager by pressing holding ctrl, alt and pressing del. Alternatively, use ctrl + shift + esc. Go to the processes tab, and end the following processes, if found:

    ??plorer.exe
    lsass.exe
    uoscg.dll
    updater.exe
    nfomon.exe
    vidmon.exe
    whagent.exe
    ipwins.exe
    update.exe
    command.exe


    After that, run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):
    F3 - REG:win.ini: load=G:\WINDOWS\system32\tfxabfbxvb\lsass.exe
    F3 - REG:win.ini: run=G:\WINDOWS\system32\tfxabfbxvb\lsass.exe
    O2 - BHO: (no name) - {15E7A636-3281-4B26-AB4D-1AE33692FBEC} - G:\WINDOWS\system32\uoscg.dll
    O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
    O4 - HKLM\..\Run: [runner1] G:\WINDOWS\updater.exe 61A847B5BBF72811308B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKLM\..\Run: [Nfo] G:\WINDOWS\system32\nfomon\nfomon.exe
    O4 - HKLM\..\Run: [vidmon] G:\WINDOWS\system32\vidmon\vidmon.exe
    O4 - HKLM\..\Run: [webHancer Agent] G:\Program Files\webHancer\Programs\whagent.exe
    O4 - HKCU\..\Run: [IpWins] G:\Program Files\Ipwindows\ipwins.exe
    O4 - HKCU\..\Run: [Cakt] "G:\Documents and Settings\Franco Sorrentino\My Documents\W?nSxS\??plorer.exe"
    O4 - HKCU\..\Policies\Explorer\Run: [{E0E0DFBC-0A4F-2057-0506-03041003002c}] "G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\Update.exe" te-110-12-0000282
    O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{E0E0DFBC-0A4F-2057-0506-03041003002c}] "G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\Update.exe" te-110-12-0000282 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{E0E0DFBC-0A4F-2057-0506-03041003002c}] "G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\Update.exe" te-110-12-0000282 (User 'Default user')
    O4 - Startup: lsass.lnk = ?
    O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\RnJhbmNvIFNvcnJlbnRpbm8\command.exe (file missing)


    Close HJT.

    Navigate in Windows Explorer and delete the following files and folders in bold.

    G:\WINDOWS\system32\tfxabfbxvb\
    G:\WINDOWS\system32\uoscg.dll
    G:\WINDOWS\updater.exe
    G:\Documents and Settings\Franco Sorrentino\My Documents\W?nSxS\
    G:\WINDOWS\system32\nfomon\
    G:\WINDOWS\system32\vidmon\
    G:\Program Files\webHancer\Programs\whagent.exe
    G:\Program Files\Ipwindows\
    G:\Program Files\Common Files\{E0E0DFBC-0A4F-2057-0506-03041003002c}\
    G:\WINDOWS\RnJhbmNvIFNvcnJlbnRpbm8\

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please don't forget to post a fresh HJT, ComboFix and AVG Antispyware log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
  9. tino

    tino TS Rookie Topic Starter

    Momok,

    Seems to be one hurdle after another. I cant access Add/Remove Programs from Normal or Safe mode. I completely crashes my PC. I have uploaded a ComboFix and AVG AntiSpyware log FYI. I also checked the services you mentioned and the only one that was there was Command which i couldnt disable in SAFE mode but i have done in Normal mode. Finally upon checking processes in TM the only one that was there was lsass.exe which couldnt be ended in normal mode.

    This instlal of windows is about 2 months old and whilst its a hassle to do so i am thinking of just wiping it and starting again? It seems that you're more than right when you say its badly infected!!

    Cheers,

    Tino
  10. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Please post the requested logs from normal mode. (HijackThis, AVG and ComboFix)
    If you are considering reformatting the system, you may wish to read this thread HERE.

    Download CCleaner from HERE.
    It has an program uninstaller under the 'Tools' section. Try and see if you can find adtomi there and uninstall it.


    Regards,
    Your friendly Momok =)
  11. tino

    tino TS Rookie Topic Starter

    Momok,

    I have carried out further scans and attached the results.

    Cheers,

    Tino
     
  12. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Please boot into safe mode like before and run HijackThis.
    Place a tick beside this entry:
    O2 - BHO: (no name) - {15E7A636-3281-4B26-AB4D-1AE33692FBEC} - G:\WINDOWS\system32\uoscg.dll (file missing)
    Click on the 'Fix Checked' button.

    Boot back into normal mode.
    You can delete all files from the quarantined folder for the AVG Antispyware.
    Apart from that, your logs look clean. However, I can only be full sure when you have also posted your ComboFix log from normal mode. (I have asked you previously but you still have not done so)

    Also let me know if you experience any problems on your system now.


    Regards,
    Your friendly Momok =)
  13. tino

    tino TS Rookie Topic Starter

    Momok,

    I have removed entry O2 - BHO: (no name) - {15E7A636-3281-4B26-AB4D-1AE33692FBEC}, scanned and attached logs. (The AVG log is at the foot of the Combo Fix Log).

    Cheers,

    Tino
  14. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    Download the Pocket Killbox from HERE. Extract it but don`t run it yet.

    Boot into safe mode under your normal user name. See how HERE

    Next turn on "Show all files and folders, including hidden and system". See how HERE

    Navigate in Windows Explorer and delete the following files and folders in bold, if found.
    G:\WINDOWS\system32\appmgmt
    G:\WINDOWS\system32\tfxabfbxvb
    G:\WINDOWS\ICROSO~1.NET\
    G:\DOCUME~1\FRANCO~1\MYDOCU~1\WNSXS~1

    Run the killbox program which you downloaded. When it loads type the full path to the file you would like to delete in the field and check the delete file on reboot button. press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, select no until you have finished inputting the files you want to delete, only then allow it to reboot and hopefully your files will now be deleted. (You can copy and paste the filepaths)

    G:\WINDOWS\system32\tmp.reg
    G:\WINDOWS\system32\swxcacls.exe
    G:\WINDOWS\system32\Process.exe
    G:\WINDOWS\system32\dumphive.exe
    G:\WINDOWS\system32\swsc.exe
    G:\WINDOWS\system32\SrchSTS.exe
    G:\WINDOWS\system32\swreg.exe
    G:\WINDOWS\system32\msonpmon.dll
    G:\WINDOWS\system32\Ctaa1.dat
    G:\WINDOWS\system32\cddvdint.dll

    Reboot into normal mode and rehide your protected OS files.

    Thereafter, please post a fresh HJT and ComboFix log from normal mode as an attachment into this thread.


    Regards,
    Your friendly Momok =)
  15. tino

    tino TS Rookie Topic Starter

    Momok,

    Completed as reqested and attached files.

    Cheers!!

    Tino
  16. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs look clean now.

    Turn off system restore (XP/ME only). Learn how to do that HERE.

    This will remove all the remaining nasties from your old restore points.
    After that turn system restore back on.
    This would have created a new safe and clean restore point for your system.

    Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
    May I recommend you to read this article.
    This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    Your friendly Momok =)
  17. tino

    tino TS Rookie Topic Starter

    Momok,

    When carrying out an Ad-aware scan there are a few entries remaining. I have attached an AVG, HJT and adaware log. Also it if i try to access Add/Remove Progs, the window opens but as it is generating the list of installed s/w it freezes my PC. Could this be related to the infections i had?

    Thanks,


    Tino
  18. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your logs are definitely clean.

    Those entries can be ignored. They are negligible, and the 3 cookies detected are the same as the AVG detections. The cookies are from techspot, and they are perfectly safe, so no worries.

    With regards to your Add/Remove programs problem, does it freeze when you run it in safe mode? Does the list show eventually or do you have to reboot the system? I suspect this is not malware related.

    Regards,
    Your friendly Momok =)
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.