Solved

Win32.Trojan.Downloader

Posted on 2006-07-06
7
2,906 Views
Last Modified: 2010-05-18
I have a similar problem to the one posed in Q_21878246.html.

I have run the Hijack This scan and have the results.

Could someone please look at them and suggest which one's are the likely culprit.

But, I need to know how get the file here onto this site (i.e. how do I create a link or however I should do it.

Thanks.

Ziggy
0
Comment
Question by:Ziggy622
7 Comments
 

Expert Comment

by:smik011
ID: 17051020
Simply just run the scan, then click on the 'Save Log' button on the lower left. This log should appear as a text file, so copy all the stuff from the text file and paste it here as part of your question.
0
 

Author Comment

by:Ziggy622
ID: 17051116
OK - here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:41, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\dfndrd_4.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe
C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\{C42FCE19-0574-1033-0524-020208230002}\Update.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\DOCUME~1\JRGEN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_4.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\ISStart.exe
O4 - HKLM\..\Run: [SpywareBot] D:\Utilities\Spybot - Search & Destroy\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\LogiTray.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Documents and Settings\Jürgen\Desktop\RegistryRepairPro.exe 1
O4 - HKCU\..\Run: [Cmte] "C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Xwjd] C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Utilities\Reader\reader_sl.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147791113180
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147791087312
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0A4DA05-729F-41D2-B3FA-11AEF453FFA3}: NameServer = 199.166.6.2 209.239.11.98
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


Ziggy
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17052765
Here is the link to the analysis of your log file.

http://hjt.networktechs.com/parse.php?log=235888
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 

Author Comment

by:Ziggy622
ID: 17054615
OK.  The files have been parsed.

Now, how do I remove them - more importantly - removethem, so they don't come back.

I've already removed them several times with programs such as Ad-Aware and others and they always seem to come back.

Thanks.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17055098
Hi,

You have at least 3 infections there, (Alcan, qoologic,outerinfo/purityscan)
Hijackthis alone can not remove these.
If it's not easy to follow the instructions of these tools that are needed for each infections, we can do it all another way requiring just one tool.

1. a) Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:)
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

b) Download Alcra PLUS Remover.
http://home.planet.nl/~kleyn080/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode.
You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.


2. In Add/Remove Programs look for apps belonging to OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.


3. Please download Qoofix by RubbeR DuckY
http://www.malwarebytes.org/Qoofix.zip
1. Unzip all files to a convenient location such as C:\Qoofix.
2. Go to the folder you unzipped all files and run Qoofix.exe.
3. Click Begin Removal and wait for the scan to finish.
4. If an infection has been found, select yes to restart your computer.
Post the contents of the Qoofix logfile.


4. Finally, run Hijackthis and put a check next to these entries (if they are still present after running the tools) and click "Fix Checked" button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_4.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Cmte] "C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Xwjd] C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17055166
>>I have a similar problem to the one posed in Q_21878246.html.<<

In what way is it similar to the other Question? that link had smitfraud infection, which is not showing in your log.
Some variants of smitfraud can also hide from hijackthis scan.
If you do have symptoms of smitfraud but files are not showing in your log, you can also run smitfraudfix.

What shows in your log is Alcan worm, qoologic, and outerinfo/purityscan, but some nasties now targets Hijackthis.exe process so they won't show up in the scan.
0
 
LVL 1

Expert Comment

by:lawyerboy780
ID: 17105911
Make sure you turn off registry protection such as Adwatch, and other spyware stuff because these tend to thwart your attempts to delete registry entries:  The entry will seem to disappear, but if you move to a different registry branch and then go back to where you deleted an item, voila its still there.  Can be quite aggravating until you realize that your safety precautions are working to protect you from yourself.

Good luck
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question