Trojan / HiJacking... i.e. ads and spaces in .exe filenames

[stylzz]

Hi this is my first time posting. I would like to commend you on your efforts at preventing and curing malware and trojan infecting normal peoples machines. I will appreciate any assistance/recommendations that you could give me in my matter.

Soon after the first, I noticed that a few of my desktop shortcuts were missing icons. As I investigated I noticed that many of my programs were renamed with a space separating the filename from the file extension. For example, yahoomessenger.exe was renamed to yahoomessenger .exe. The original file's name still remained on my pc, but it was 40KB in size. This happened for many of my desktop's application. After a few google searches, I found a program called SDFix. After downloading this and running it from my OS in safe mode, it seemed to have "Fixed" my problem. However, there are still a few applications that SDFix did not remedy. I am now getting various IE browsers opening up to ad sites.

I am running Windows XP SP3. I have Symantec EndPoint Protection 11.0.4. I have completed the 8 step process but it did not resolve my problem with the renaming of the files. Also, deleting the 40Kb impostor and renaming the original file back to its original name does not fix this either. It would either change again in time, or after a reboot. I am attaching the requested files for your review.

Thanks a million...

Will E. Stylzz

 

[Tmagic650]

Where is your Hijackthis log?

 

[stylzz]

The only ones I found for Hijack was the fixes and checks files that I attached. It was in DocSet/all u/applic/spybot/logs directory... Is there another produced in some other location?

 

[stylzz]

I have a resident log... Not sure if this is what is needed or not...

 

[stylzz]

I may be using the wrong version of HJT... I will uninstall this version 1.6 and install 2.02 ... sorry for the confusion.

 

[Tmagic650]

I don't know what OS you are using but in XP, click on the Hijackthis icon, system scan only, save file. Note where this file is saved. Attach it here. In Vista or Windows 7 right-click, run as administrator, system scan only, save file. Note where the file is saved and attach it here

 

[stylzz]

Ok... sorry about that, here is the HJT log...

 

[Tmagic650]

Okay good work...

You have some "suspicious" things in your Hijackthis log

Run this Scanner

Directions:
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
c:\windows\system32\userinit.exe

Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe


Leave the log from that scan in your next reply...

 

[stylzz]

Scan results are as follows:


File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853

Scanner results : Scanners did not find malware!




File Name : explorer.exe
File Size : 1033728 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f

Scanner results : Scanners did not find malware!



File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667

Scanner results : Scanners did not find malware!

 

[Tmagic650]

Good, now let's do one more:
Eset Scanner

 

[stylzz]

I used virus scan on one of the 40Kb files that I was referring to in the initial post that keeps reappearing. The results are not pretty:

VirSCAN.org Scanned Report :
Scanned time : 2010/01/09 22:36:24 (CET)
Scanner results: 70% Scanner(s) (26/37) found malware!
File Name : bjmyprt.exe
File Size : 40960 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 721212e9dfca7efda22cceeda36628ef
SHA1 : ac0f3f19e0ed5efdb84e30ddabea586265efff12
Online report : http://virscan.org/report/3e961eef74b1dadc4d7a41da0159c22a.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100109234514 2010-01-09 4.59 Trojan.Win32.Cosmu!IK
AhnLab V3 2010.01.09.02 2010.01.09 2010-01-09 1.43 -
AntiVir 8.2.1.134 7.10.2.151 2010-01-08 0.20 TR/Cosmu.joh
Antiy 2.0.18 20100108.3621411 2010-01-08 0.12 Trojan/Win32.Cosmu.joh
Arcavir 2009 201001081341 2010-01-08 0.05 Trojan.Cosmu.Joh
Authentium 5.1.1 201001091522 2010-01-09 1.31 -
AVAST! 4.7.4 100109-0 2010-01-09 0.01 Win32:Trojan-gen
AVG 8.5.288 270.14.132/2610 2010-01-10 0.31 Generic16.WTC
BitDefender 7.81008.4847999 7.29802 2010-01-10 4.20 Trojan.Generic.2952460
CA (VET) 35.1.0 7225 2010-01-07 8.67 -
ClamAV 0.95.2 10275 2010-01-09 0.01 -
Comodo 3.13.579 3409 2010-01-09 1.13 TrojWare.Win32.TrojanSpy.BZub.~IP
CP Secure 1.3.0.5 2010.01.09 2010-01-09 0.06 Troj.W32.Cosmu.joh
Dr.Web 4.44.0.9170 2010.01.09 2010-01-09 8.41 Trojan.Siggen.43038
F-Prot 4.4.4.56 20100109 2010-01-09 1.52 -
F-Secure 7.02.73807 2010.01.09.04 2010-01-09 0.12 Trojan.Win32.Cosmu.joh [AVP]
Fortinet 11.354- 11.354 2010-01-09 0.25 W32/Cosmu.JOH!tr
GData 19.9871/19.667 20100109 2010-01-09 6.04 Trojan.Win32.Cosmu.joh [Engine:A]
ViRobot 20100108 2010.01.08 2010-01-08 0.46 -
Ikarus T3.1.01.80 2010.01.09.74929 2010-01-09 4.29 Trojan.Win32.Cosmu
JiangMin 13.0.900 2010.01.09 2010-01-09 15.37 Trojan/Cosmu.to
Kaspersky 5.5.10 2010.01.09 2010-01-09 0.07 Trojan.Win32.Cosmu.joh
KingSoft 2009.2.5.15 2010.1.9.22 2010-01-09 0.54 Win32.Troj.Generic.40960
McAfee 5.3.00 5856 2010-01-09 4.02 Generic Downloader.x!cks
Microsoft 1.5302 2010.01.09 2010-01-09 9.61 TrojanDownloader:Win32/Unruy.C
Norman 6.01.09 6.01.00 2010-01-09 4.01 -
Panda 9.05.01 2010.01.09 2010-01-09 10.59 -
Trend Micro 9.120-1004 6.758.06 2010-01-09 0.02 TROJ_COSMU.BE
Quick Heal 10.00 2010.01.09 2010-01-09 1.29 Trojan.Cosmu.joh
Rising 20.0 22.29.05.04 2010-01-09 0.44 Trojan.Win32.Generic.51F5A81A
Sophos 3.03.0 4.49 2010-01-10 2.94 Troj/Dloadr-CXZ
Sunbelt 3.9.2389.2 5608 2010-01-08 4.41 Trojan-Downloader.Win32.Unruy.C (v)
Symantec 1.3.0.24 20100102.020 2010-01-02 0.26 -
nProtect 20100109.01 6831766 2010-01-09 6.00 -
The Hacker 6.5.0.3 v00144 2010-01-09 1.09 Trojan/Cosmu.jog
VBA32 3.12.12.1 20100108.2153 2010-01-08 2.34 Trojan.Win32.Cosmu.joh
VirusBuster 4.5.11.10 10.118.26/2005119 2010-01-10 2.54 -

 

[stylzz]

Do I use the default for eset?

 

[Tmagic650]

Yes use the default

 

[stylzz]

It looks like this is going to take a while... It is 1100PM here, I probably will not post results until tomorrow morning when I wake up...

 

[Tmagic650]

Ok no problem, it's 3:06 pm here...

 

[stylzz]

It has been on 6% for the past 25 minutes... so far it detected Win32/Bagle.gen.zip worm. I will have to look that one up...

 

[Tmagic650]

Well at least we are making some progress. Good luck

 

[stylzz]

Progress is always good ... even if it feels like you are going backwards

After the ESet Scan is completed, I am assuming that I will allow it to repair, or it will repair the findings, correct?

 

[Tmagic650]

Yes ESET will correct the findings, and it will also give us further clues on what to do next, if necessary

 

[stylzz]

almost 16 hours... and at 99%

 

[stylzz]

This is what ESET found. Quite a bit of nasty stuff. All of the "TrojanDownloader.Unruy.AY" were the 40Kb files that I mentioned in the first post. Unfortunately, Symantec only sees it as malicious depending on the name of the file that is found in the technical details tab on this link. Now that this has completed, should I reboot and see if they come back?

 

[Tmagic650]

Turn off System Restore... Run this temp file cleaner:

Temp File Cleaner by Old Timer

Turn System Restore back on

 

[stylzz]

TFC forced a reboot to permanently remove files, turned system restore back on. At boot, versioncuecs3.exe just sits on the screen. It has not done that before. Also, I lost my xp style task bar, I only have the classic to choose from in the appearance tab of display properties. Everything else seems to be running normally. I may disable the versioncue as I do not need it running. I used to have several versions on Adobe / Macromedia products installed. That is all that it would have been beneficial for.