Help with Trojandownloader.xs

[anm147]

Very new to all of this. But I have followed the previous steps and ran hyjacker and malwarebytes. I am unable to run combofix, it pops up the blue box and then when I try to enter the 1 it closes up completely. Also, when clicking remove all on malware I was prompted that some could not be deleted and would need to be restarted to delete.

I like many other people managed to infect my system with some nasty spyware detailed below are the ones causing problems:

1)TrojanDownloader.XS.

It is a White and Blue window that says 'Security system Waring"

2)
A red box mentioning something like:

Alert Details
File: C:\WINDOWS\wml.exe

Threat:Abebot

3) Warning: Your computer may have critical errors in Windows registry and file system!

and 4) Yellow Triangle with exclamation mark in the bottom right corner where the clock is located. Its constantly prompting me there is spyware infecting my system and is directing me to a website to download some spyware remover.

Along with many other issues, such as taking me directly to a page for buying spyware removal. I have tried several things such as ad-ware and no such luck.

If some could please help me fix this problem i would greatly appreciate it.

I am running on Windows XP

 

[Blind Dragon]

OK. First of all only use internet explorer if you absolutely have to: Here are 2 more secure browsers to choose from
1)Firefox -> http://www.mozilla.com/en-US/firefox/
2)Opera -> http://www.opera.com/




Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update Tab at the top of the Java console
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

Download and Install SDFix

• Download SDFix and save it to your Desktop.
  
• Double click SDFix.exe and it will extract the files to %systemdrive%
  (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
• Attach Report.txt back here

Combofix

• Download Combofix to your desktop.
• Double click combofix.exe & follow the prompts.
• A window will open with a warning.
• Type "1" (and Enter) to start the fix.
• When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.

Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

 

[anm147]

After the scans

Ok here are the new scans. I followed all of the steps from the java to sdfix to combofix. I still have the pop ups and internet explorer keeps opening on it's own even though I was using firefox. Thanks for the help.

 

[damusca]

Hi Andrea, just had a look at your posts and your reports there. I see you have been downloading games and things from zango, that is where your problems are coming from.
If you go to control panel, look through the list and anything from zango uninstall, also look for programmes with "ad" or spam remover etc in their title, if you are unsure what to download, take a pic of your programmes in the control panel and post it on here, also remember to run your spyware again, mcafee etc all good but if you have accepted a programme which is downloading this then it will not necessarily pick up on it. We have all done it at some point and it is not the end of the world so would not worry about it.
Post back if you found anything in your installed programmes, if you are unsure of anything do not remove it but ask about it on here.
David

 

[anm147]

Thanks I will try that...however, the odd part is that I have never been to zango and don't download stuff...unless it came from something on facebook I have no idea. Thanks for the help.

 

[Blind Dragon]

1 more then we can go to work.

Download\install 'SuperAntiSpyware Home Edition Free Version' from HERE

• Launch SuperAntiSpyware and click on 'Check for updates'.
• Once the updates have been installed,exit SuperAntiSpyware.

Scan with SuperAntiSpyware

• Start SuperAntiSpyware.
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.
  
  It's possible that the program will ask you to reboot in order to delete some files.
  
  Obtain the SuperAntiSpyware log as follows:
  Click on 'Preferences'.
  Click on the 'Statistics/Logs' tab.
  Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
  It will then open in your default text editor,such as Notepad.
  Attach the notepad file here on your next reply

 

[damusca]

try downloading and running avg antispyware 7.5, it is free or you can download the full version on a 30 days trial for free as well. This will remove the zlob downloader ( one that is coming through or as zango for you ).

Also, when you are running your virus scans and any anti spy scans, remember to do so in safe mode and try not to access the net at the same time, when your scans have run, and if everything is cleared, ( check with a couple of different anti spy etc ) set a new clean restore point for yourself to go back to.

 

[Blind Dragon]

try downloading and running avg antispyware 7.5, it is free or you can download the full version on a 30 days trial for free as well.

The thread starter has the full Mcafee protection already installed, and though I am not a fan of Mcafee we do not recommend installing another anti-virus program in addition to the current protection. You can have all the anti-spyware programs you want but 1 anti virus and 1 firewall

 

[anm147]

Ok I tried that...but the folders keep coming back. they are definately the problem but seems to be that you delete them and then empty recycle and they come back

 

[Blind Dragon]

please follow my instructions, it will remove that part of it and then some

 

[anm147]

Super Anti Log

Ok here is the scan for the last step I have followed with the SuperAntiSpyware. Still having pop ups but it appears that the trojans showed up on this scan...even for slow people like me! I really do appreciate all of this help.

 

[Blind Dragon]

Now copy

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= dword:00000001

REMOVE THE SPACES FROM THE SYSTEM PART AT THE END IF THERE ^^^^^

and Paste into notepad. Select Save As, set Notepad to 'All Files' and save the file as FixReg.REG. If you save it on your desktop it will be easy to find.

Double-Click on the file; FixReg.REG and allow the contents to be merged into the Registry (click 'Yes' when asked)..
---------------------------------------------------------------------------------------------------

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\Program Files\installer\si.exe
C:\WINDOWS\mssvr.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\updatetc.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\180ax.exe
C:\WINDOWS\bokja.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\2020search2.dll

Folder::
C:\Program Files\stc
C:\Program Files\zango
C:\Program Files\Sysmnt
C:\Program Files\seekmo
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NI"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UC_SMB"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[anm147]

New logs of combofix

Ok I followed the previous steps and ran combofix again with a new HJT log. The pop ups dissappeared from the screen and the screen background that said your computer has been infected with spyware. So looks like progress!

 

[Blind Dragon]

will edit this post shortly with instructions

 

[anm147]

Redid step

Completed that step.

 

[Blind Dragon]

Ok, I want to be sure on this one. Seems like something is restoring these

CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)

File::
C:\WINDOWS\system32\wmsdkns.exe
C:\WINDOWS\system32\L3821.tmp
C:\WINDOWS\system32\L36CD.tmp
C:\WINDOWS\system32\L35DC.tmp
C:\WINDOWS\system32\L3500.tmp
C:\WINDOWS\system32\hknnpgmm.dll

Folder::
C:\Program Files\zango
C:\Program Files\stc
C:\Program Files\seekmo
C:\Program Files\180solutions
C:\Program Files\180searchassistant
C:\Program Files\180search assistant
C:\Documents and Settings\Paulette Parkhill\Application Data\GOODSEARCH
C:\Documents and Settings\LocalService\Application Data\GOODSEARCH

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

 

[anm147]

New logs of combofix again

I followed those steps again...you said something keeps reloading them and while it started running something popped up that said mcaffe blocked a virus that reproduces files, not sure if that matters

 

[Blind Dragon]

That looks so much better! Does the computer seem to be running better?

First go to start -> all programs -> accessories -> command prompt

at the command prompt type: sc delete IBM PSA Access Driver Control

press enter and reboot the system into safe mode (copy next section first)

Copy the section between starts into notepad file and save to your desktop to have open during safe mode
************************************************************************************************************
Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
O2 - BHO: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: goodsearch - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~1.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer

• Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
• On the Tools menu in Windows Explorer, click Folder Options.
• Click the View tab.
• Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following folder:

Folder:
C:\C:\PROGRAM FILES\GOODSEARCH <-This folder (could be goodsearchtoolbar)

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log
********************************************************************************************************

Download and Run ATF Cleaner
Download ATF Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox or Opera:
Click Firefox or Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

------------------------------------------------------------------------------------------------------

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Attach the report into your next reply

 

[anm147]

Thanks so much. The computer is running much better. No popups and it is amazing to have control over my own computer again...by being able to close programs, ctrl alt delete for intstance.

When I follow the previous directions and go to command prompt I get an error message that says SC open service failed 1060: The specified service does not exist as an installed service.

 

[Blind Dragon]

Ok what about the kaspersky scan - log?

also go ahead and run more hijackthis if everything looks ok, we can secure the work we have done and clean up a bit

 

[anm147]

Kasperksy scan

Here is the kaspersky scan and the HJT log. I now officially hate mcaffe doesn't appear it blocked much.

 

[Blind Dragon]

Looks good.

Launch MBAM -> select quarantine tab -> highlight all infection and select delete all
-------------------------------------------------------------------------------------------------------

Uninstall Combofix
* Click START then RUN
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter.

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

-----------------------------------------------------------------------
Cleanup using OTMoveit2 by OldTimer
Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

* When finished exit out of OTMoveIt2

---------------------------------------------------------------------------
I recommend you keep
1 anti virus program
1 firewall
Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

For Spybot you can download the latest version from HERE.

keep them updated.

You can also turn on tea timer in Spybot:

• Click on Mode at the top and make sure that Advanced is checked
• Expand the Tools tab in the left pane
• Single click on the Resident Icon also in the left pane
• check Resident "TeaTimer" (Protection of over-all system settings) Active
• Close spybot

Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

And just to be sure
Set correct settings for files

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

clear system restore points

• 
  This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
  This will remove all restore points except the new one you just created.

 

[anm147]

Thank you so much for all of your help. The computer is running so much better now. You have great patience and have definately done more than one good deed in the last week. Thank you again for taking your time to help someone you don't even know.

 

[Blind Dragon]

Not a problem, if you have any more issues feel free to let me know through this thread.

Regards,

BD