Solved

Win32.Trojan.Downloader

Posted on 2006-07-06
7
2,921 Views
Last Modified: 2010-05-18
I have a similar problem to the one posed in Q_21878246.html.

I have run the Hijack This scan and have the results.

Could someone please look at them and suggest which one's are the likely culprit.

But, I need to know how get the file here onto this site (i.e. how do I create a link or however I should do it.

Thanks.

Ziggy
0
Comment
Question by:Ziggy622
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 

Expert Comment

by:smik011
ID: 17051020
Simply just run the scan, then click on the 'Save Log' button on the lower left. This log should appear as a text file, so copy all the stuff from the text file and paste it here as part of your question.
0
 

Author Comment

by:Ziggy622
ID: 17051116
OK - here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:41, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\dfndrd_4.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe
C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\{C42FCE19-0574-1033-0524-020208230002}\Update.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\DOCUME~1\JRGEN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_4.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\ISStart.exe
O4 - HKLM\..\Run: [SpywareBot] D:\Utilities\Spybot - Search & Destroy\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\LogiTray.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Documents and Settings\Jürgen\Desktop\RegistryRepairPro.exe 1
O4 - HKCU\..\Run: [Cmte] "C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Xwjd] C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Utilities\Reader\reader_sl.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147791113180
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147791087312
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0A4DA05-729F-41D2-B3FA-11AEF453FFA3}: NameServer = 199.166.6.2 209.239.11.98
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


Ziggy
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17052765
Here is the link to the analysis of your log file.

http://hjt.networktechs.com/parse.php?log=235888
0
IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

 

Author Comment

by:Ziggy622
ID: 17054615
OK.  The files have been parsed.

Now, how do I remove them - more importantly - removethem, so they don't come back.

I've already removed them several times with programs such as Ad-Aware and others and they always seem to come back.

Thanks.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17055098
Hi,

You have at least 3 infections there, (Alcan, qoologic,outerinfo/purityscan)
Hijackthis alone can not remove these.
If it's not easy to follow the instructions of these tools that are needed for each infections, we can do it all another way requiring just one tool.

1. a) Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:)
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

b) Download Alcra PLUS Remover.
http://home.planet.nl/~kleyn080/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode.
You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.


2. In Add/Remove Programs look for apps belonging to OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.


3. Please download Qoofix by RubbeR DuckY
http://www.malwarebytes.org/Qoofix.zip
1. Unzip all files to a convenient location such as C:\Qoofix.
2. Go to the folder you unzipped all files and run Qoofix.exe.
3. Click Begin Removal and wait for the scan to finish.
4. If an infection has been found, select yes to restart your computer.
Post the contents of the Qoofix logfile.


4. Finally, run Hijackthis and put a check next to these entries (if they are still present after running the tools) and click "Fix Checked" button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_4.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Cmte] "C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Xwjd] C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17055166
>>I have a similar problem to the one posed in Q_21878246.html.<<

In what way is it similar to the other Question? that link had smitfraud infection, which is not showing in your log.
Some variants of smitfraud can also hide from hijackthis scan.
If you do have symptoms of smitfraud but files are not showing in your log, you can also run smitfraudfix.

What shows in your log is Alcan worm, qoologic, and outerinfo/purityscan, but some nasties now targets Hijackthis.exe process so they won't show up in the scan.
0
 
LVL 1

Expert Comment

by:lawyerboy780
ID: 17105911
Make sure you turn off registry protection such as Adwatch, and other spyware stuff because these tend to thwart your attempts to delete registry entries:  The entry will seem to disappear, but if you move to a different registry branch and then go back to where you deleted an item, voila its still there.  Can be quite aggravating until you realize that your safety precautions are working to protect you from yourself.

Good luck
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month8 days, 5 hours left to enroll

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question