Trojandownloader

By Frogshark40
Apr 14, 2008
Topic Status:
Not open for further replies.
  1. Like many others, I got the same thing. I went ahead and googled it and came across this site, I read Blind Dragon's posts in many threads and they all said to get Malwarebyte. I downloaded it, ran and performed a complete scan. I had roughly 40 infected files :s. Personally, I don't know where to go from here now. I was trying to find the log incase it would prove helpful, I failed at finding it (I'm using Vista) but I did come across something very interesting.

    C:\Users\Travis, I looked down and I found a few .exe's. All below are .exe.
    Desktopblackbird.jpg
    DesktopEditorFKWP1.5.exe
    DesktopEditorFKWP2.0.exe
    Desktopfilemanagerclient.exe
    Desktopfkwp1.5.exe
    Desktopfkwp2.0
    Desktopfwebd
    DesktopFWebdEditor
    DesktopTrojan.Win32.BlackBird.exe

    The above in bold, really caught my eye in interest. Last night when I downloaded some files that I saw would be helpful from Blind Dragon my desktop was fine. But when I turned it on my background was black, so I knew something happend.

    If there is anything else I need to do to help restore my computer, PLEASE help me.

    If I need the .txt from the scan, I need to know where to find it using Vista.

    Thank you very much in advance.

    /Edit, Someone in my chat told me to delete system 32, I don't really trust him or know him, but just asking for confirmation. :s
  2. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    I could really use a bit of help on what I can do. :[
  3. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    All of those indeed are part of this infection.

    MBAM log can be found
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    please attach it




    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt



    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  4. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    I went ahead and deleted them all because my friend told me to get rid of them =/.

    There is HJT log and Malware's log.

    I don't think combofix is doing anything on my computer, a little window pops up (a loading bar) and when it's done it goes away and refreshes my desktop. A command window with a blue screen pops up soon after with some writing, but thats it.

    Also, my task manager is gone. -.-
  5. kritius

    kritius TechSpot Guru Posts: 2,087

    Download RatsCheddar.zip
    It contains a program written by Rathat, and it is a Policy Controller.
    Save and extract this program to the desktop.
    Once extracted, click on the RatsCheddar.exe file.
    Enable everything, then click Exit
    Reboot your Computer.

    : Download and Run DSS

    Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
    • Close all applications and windows.
    • Double-click on dss.exe to run it, and follow the prompts.
    • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
    • Attach the main.txt and the extra.txt in your reply.
  6. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    I really don't know how to properly thank kritius & Blind Dragon, I'm being very honest when I'm saying, This is the BEST community forums that I've EVER registered on.

    I'm glad that you use your knowledge to help others with problems. :)
  7. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    Also, when I ran RatsChedder it would give a popup of 'Failed to set data for DisableTaskMgr'

    It does it for all of the choices too. When I rebooted my computer the TM still wasnt there.

    Also, I downloaded COMODO firewall pro, and I'm really sick of all these popups im getting, I can't open or close a program, let alone go to a website without something coming up wanted me to allow or block... Is there anyway I can make it where it trusts apps?

    I just opened up the program and I tried 2 sys restores eariler and now I have 5,000 files waiting to be approved...
  8. kritius

    kritius TechSpot Guru Posts: 2,087

    Ill need to see a fresh DSS log after doing the system restore
  9. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    I would love to provide you with a new DSS, but I tried to do system restore, 4, 3, & 2 weeks back, all of them failed. So the above DSS report would be the best to work bye.
  10. kritius

    kritius TechSpot Guru Posts: 2,087

    Ah misread that, ill look over it later then.
  11. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    Bring
    Up
    My
    Post
    :[ What do I do next. :[
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Windows\userconfig9x.dll
      C:\Windows\system32winlogonpc.exe
      C:\Windows\system32mwin32.exe
      C:\Windows\system32hoproxy.dll
      C:\Windows\FVProtect.exe
      C:\Windows\a.bat
      C:\Windows\system32WINWGPX.EXE
      C:\Windows\system32winsystem.exe
      C:\Windows\system32vcatchpi.dll
      C:\Windows\system32vbsys2.dll
      C:\Windows\system32thun32.dll
      C:\Windows\system32thun.dll
      C:\Windows\system32temp#01.exe
      C:\Windows\system32taack.exe
      C:\Windows\system32taack.dat
      C:\Windows\system32sysreq.exe
      C:\Windows\system32ssvchost.exe
      C:\Windows\system32ssvchost.com
      C:\Windows\system32ssurf022.dll
      C:\Windows\system32sncntr.exe
      C:\Windows\system32Rundl1.exe
      C:\Windows\system32regm64.dll
      C:\Windows\system32regc64.dll
      C:\Windows\system32psoft1.exe
      C:\Windows\system32psof1.exe
      C:\Windows\system32ps1.exe
      C:\Windows\system32newsd32.exe
      C:\Windows\system32netode.exe
      C:\Windows\system32mtr2.exe
      C:\Windows\system32msvchost.exe
      C:\Windows\system32mssecu.exe
      C:\Windows\system32msnbho.dll
      C:\Windows\system32msgp.exe
      C:\Windows\system32medup020.dll
      C:\Windows\system32medup012.dll
      C:\Windows\system32hxiwlgpm.exe
      C:\Windows\system32hxiwlgpm.dat
      C:\Windows\system32h@tkeysh@@k.dll
      C:\Windows\system32emesx.dll
      C:\Windows\system32dpcproxy.exe
      C:\Windows\system32bsva-egihsg52.exe
      C:\Windows\system32bdn.com
      C:\Windows\system32awtoolb.dll
      C:\Windows\system32anticipator.dll
      C:\Windows\system32akttzn.exe
      C:\Users\All Users\hqzgtifc
      HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and attach that document back here in your next post.

    HighjackThis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log into your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.


    Fix entries using HiJackThis
    • Launch HiJackThis
    • Click the Do a system scan only button
    • Put a check next to the entries listed below
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: (no name) - {54CF4CA2-C46C-4B5C-8DC5-0C0D42ECD69E} - (no file)
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

    • IMPORTANT: Do NOT click fix until you exit all browser sessions including the one you are reading in right now
    • Click the Fix checked button and close HiJackThis
    • Reboot HijackThis if necessary
  13. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    LoadLibrary failed for C:\Windows\userconfig9x.dll
    C:\Windows\userconfig9x.dll NOT unregistered.
    C:\Windows\userconfig9x.dll moved successfully.
    C:\Windows\system32winlogonpc.exe moved successfully.
    C:\Windows\system32mwin32.exe moved successfully.
    LoadLibrary failed for C:\Windows\system32hoproxy.dll
    C:\Windows\system32hoproxy.dll NOT unregistered.
    C:\Windows\system32hoproxy.dll moved successfully.
    C:\Windows\FVProtect.exe moved successfully.
    C:\Windows\a.bat moved successfully.
    C:\Windows\system32WINWGPX.EXE moved successfully.
    C:\Windows\system32winsystem.exe moved successfully.
    LoadLibrary failed for C:\Windows\system32vcatchpi.dll
    C:\Windows\system32vcatchpi.dll NOT unregistered.
    C:\Windows\system32vcatchpi.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32vbsys2.dll
    C:\Windows\system32vbsys2.dll NOT unregistered.
    C:\Windows\system32vbsys2.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32thun32.dll
    C:\Windows\system32thun32.dll NOT unregistered.
    C:\Windows\system32thun32.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32thun.dll
    C:\Windows\system32thun.dll NOT unregistered.
    C:\Windows\system32thun.dll moved successfully.
    C:\Windows\system32temp#01.exe moved successfully.
    C:\Windows\system32taack.exe moved successfully.
    C:\Windows\system32taack.dat moved successfully.
    C:\Windows\system32sysreq.exe moved successfully.
    C:\Windows\system32ssvchost.exe moved successfully.
    C:\Windows\system32ssvchost.com moved successfully.
    LoadLibrary failed for C:\Windows\system32ssurf022.dll
    C:\Windows\system32ssurf022.dll NOT unregistered.
    C:\Windows\system32ssurf022.dll moved successfully.
    C:\Windows\system32sncntr.exe moved successfully.
    C:\Windows\system32Rundl1.exe moved successfully.
    LoadLibrary failed for C:\Windows\system32regm64.dll
    C:\Windows\system32regm64.dll NOT unregistered.
    C:\Windows\system32regm64.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32regc64.dll
    C:\Windows\system32regc64.dll NOT unregistered.
    C:\Windows\system32regc64.dll moved successfully.
    C:\Windows\system32psoft1.exe moved successfully.
    C:\Windows\system32psof1.exe moved successfully.
    C:\Windows\system32ps1.exe moved successfully.
    C:\Windows\system32newsd32.exe moved successfully.
    C:\Windows\system32netode.exe moved successfully.
    C:\Windows\system32mtr2.exe moved successfully.
    C:\Windows\system32msvchost.exe moved successfully.
    C:\Windows\system32mssecu.exe moved successfully.
    LoadLibrary failed for C:\Windows\system32msnbho.dll
    C:\Windows\system32msnbho.dll NOT unregistered.
    C:\Windows\system32msnbho.dll moved successfully.
    C:\Windows\system32msgp.exe moved successfully.
    LoadLibrary failed for C:\Windows\system32medup020.dll
    C:\Windows\system32medup020.dll NOT unregistered.
    C:\Windows\system32medup020.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32medup012.dll
    C:\Windows\system32medup012.dll NOT unregistered.
    C:\Windows\system32medup012.dll moved successfully.
    C:\Windows\system32hxiwlgpm.exe moved successfully.
    C:\Windows\system32hxiwlgpm.dat moved successfully.
    < C:\Windows\system32h@tkeysh@@k.dll >
    LoadLibrary failed for C:\Windows\system32h@tkeysh@@k.dll
    C:\Windows\system32h@tkeysh@@k.dll NOT unregistered.
    C:\Windows\system32h@tkeysh@@k.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32emesx.dll
    C:\Windows\system32emesx.dll NOT unregistered.
    C:\Windows\system32emesx.dll moved successfully.
    C:\Windows\system32dpcproxy.exe moved successfully.
    C:\Windows\system32bsva-egihsg52.exe moved successfully.
    C:\Windows\system32bdn.com moved successfully.
    LoadLibrary failed for C:\Windows\system32awtoolb.dll
    C:\Windows\system32awtoolb.dll NOT unregistered.
    C:\Windows\system32awtoolb.dll moved successfully.
    LoadLibrary failed for C:\Windows\system32anticipator.dll
    C:\Windows\system32anticipator.dll NOT unregistered.
    C:\Windows\system32anticipator.dll moved successfully.
    C:\Windows\system32akttzn.exe moved successfully.
    C:\Users\All Users\hqzgtifc moved successfully.
    < HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr >
    Registry value HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system\\DisableTaskMgr deleted successfully.
    File/Folder not found.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04192008_182538
     
  14. kritius

    kritius TechSpot Guru Posts: 2,087

    Ok, is your task manager working now?

    Post a fresh hijackThis log for me please.
  15. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    Ok, I ran HJT and did as you said,
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableTaskMgr=1
    Wasn't listed in the list.

    I think I really messed up my computer. :[
  16. kritius

    kritius TechSpot Guru Posts: 2,087

    Is it running ok now though?

    I didnt expect it to still be present after the OTMoveIt script, but I had to be sure, post a fresh HiajckThis log for me.
  17. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    Alrighty, my Task manager is back up (YES!) Does this mean that the infection is gone? Got any recommended programs to prevent from this BS from happening again?
  18. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    Here is the HJT log that I just did.
  19. KUNZEE

    KUNZEE Newcomer, in training

    Trojanspyware!!!

    I am having all the same problems too. All of my icons keep going on and off the scree. I have the triangle in lower right corner and the pop about spyware on my computer. I have ran my spysweeper and my trend micro and nothing has fixed it.
    what do i do now?
  20. kritius

    kritius TechSpot Guru Posts: 2,087

    KUNZEE please start your own thread.

    Frogshark40 your HJT log is clear, lets see how things are looking,

    I would like you to do an online scan so that we can what else may be in your system,
    Run Kaspersky online scanner
    With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
    Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
    Do not go surfing while your resident protection is disabled!
    Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


    Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
    • The program will launch and then start to download the latest definition files.
    • Once the scanner is installed and the definitions downloaded, click Next.
    • Now click on Scan Settings
    • In the scan settings make sure that the following are selected:
      o Scan using the following Anti-Virus database:
      o Extended (If available, otherwise use standard)
      o Scan Options:
      o Scan Archives
      o Scan Mail Bases
    • Click OK
    • Under select a target to scan, select My Computer
    • The scan will take a while so be patient and let it run.
    • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
    • Click the Save Report As... button (see red arrow below)

      [​IMG]
    • In the Save as... prompt, select Desktop
    • In the File name box, name the file
    • In the Save as type prompt, select Text file (see below)

      [​IMG]
    • Include the report in your next post.
  21. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    That was a very long scan there.

    Here is your txt file as requested.
  22. kritius

    kritius TechSpot Guru Posts: 2,087

    C:\Users\Travis\Documents\LimeWire\Incomplete\Preview-T-3545425-purple heart goat.mp3<======Delete this file

    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
    For Technical Support, double-click the e-mail address located at the bottom of each menu.

    C:\Users\Travis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\<========Delete the contents of this folder
  23. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    Wow, I didn't think a mp3 could carry a virus.
    Should I delete the actual mp3 file aswell as the preview? I have the mp3 on my iPhone, would that effect it in anyway?

    C:\Users\Travis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\

    C:\Users\Travis\AppData\Local\Microsoft\Windows\;
    Files in the above;

    1033
    Burn
    Explorer
    GameExplorer
    WER
    Usrclass.dat
    UsrClass.dat.LOG1
    Ursclass.dat.LOG2
    WindowsUpdate.log


    /EDIT

    Although im finally fixing my computer up, my desktop background remains a horrendous black. When I right click Personalize and get to where I'm able to choose my background the images are white (you can't preview them) and if you double click one, the background stays black. I'm not all worried about what my background looks like but I really gets annoying seeing total black :[
  24. kritius

    kritius TechSpot Guru Posts: 2,087

    The background will hopefully be back by the time were done,

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\Users\Travis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGR5WHHL
      C:\Users\Travis\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BNRV3882
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

    • Double-click OTMoveIt2.exe.
    • Click the CleanUp! button.
    • Select Yes when the "Begin cleanup Process?" prompt appears.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes, if not delete it by yourself.

    How is the computer running?
  25. Frogshark40

    Frogshark40 Newcomer, in training Topic Starter Posts: 49

    After running OT, the second time it removed a number of items from my desktop including DSS, OT, and a few others that I don't remember. The background remains black and the preview images are still blank.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.