Solved

Win32.Trojan.Downloader

Posted on 2006-07-06
7
2,900 Views
Last Modified: 2010-05-18
I have a similar problem to the one posed in Q_21878246.html.

I have run the Hijack This scan and have the results.

Could someone please look at them and suggest which one's are the likely culprit.

But, I need to know how get the file here onto this site (i.e. how do I create a link or however I should do it.

Thanks.

Ziggy
0
Comment
Question by:Ziggy622
7 Comments
 

Expert Comment

by:smik011
Comment Utility
Simply just run the scan, then click on the 'Save Log' button on the lower left. This log should appear as a text file, so copy all the stuff from the text file and paste it here as part of your question.
0
 

Author Comment

by:Ziggy622
Comment Utility
OK - here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:57:41, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\outlook\outlook.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\dfndrd_4.exe
C:\Program Files\Windows Defender\MSASCui.exe
D:\Program Files\LogiTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe
C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\{C42FCE19-0574-1033-0524-020208230002}\Update.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\WINDOWS\system32\MsiExec.exe
C:\DOCUME~1\JRGEN~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis_199.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "D:\Program Files\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_4.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] D:\Program Files\ISStart.exe
O4 - HKLM\..\Run: [SpywareBot] D:\Utilities\Spybot - Search & Destroy\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LogitechVideoTray] D:\Program Files\LogiTray.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIX10.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Documents and Settings\Jürgen\Desktop\RegistryRepairPro.exe 1
O4 - HKCU\..\Run: [Cmte] "C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Xwjd] C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Utilities\Reader\reader_sl.exe
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147791113180
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147791087312
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A0A4DA05-729F-41D2-B3FA-11AEF453FFA3}: NameServer = 199.166.6.2 209.239.11.98
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)


Ziggy
0
 
LVL 13

Expert Comment

by:prashsax
Comment Utility
Here is the link to the analysis of your log file.

http://hjt.networktechs.com/parse.php?log=235888
0
Superior storage. Superior surveillance.

WD Purple drives are built for 24/7, always-on, high-definition security systems. With support for up to 8 hard drives and 32 cameras, WD Purple drives are optimized for surveillance.

 

Author Comment

by:Ziggy622
Comment Utility
OK.  The files have been parsed.

Now, how do I remove them - more importantly - removethem, so they don't come back.

I've already removed them several times with programs such as Ad-Aware and others and they always seem to come back.

Thanks.
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
Comment Utility
Hi,

You have at least 3 infections there, (Alcan, qoologic,outerinfo/purityscan)
Hijackthis alone can not remove these.
If it's not easy to follow the instructions of these tools that are needed for each infections, we can do it all another way requiring just one tool.

1. a) Please download Brute Force Uninstaller to your desktop.
http://www.merijn.org/files/bfu.zip
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:)
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

b) Download Alcra PLUS Remover.
http://home.planet.nl/~kleyn080/alcanshorty.bfu
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Reboot your computer into Safe Mode.
You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the "scriptline to execute" field click the "folder icon"  and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows.


2. In Add/Remove Programs look for apps belonging to OIN
If you do not see any icon for "OIN" or "(program) by OIN" in Add/Remove Programs, please download their stand-alone uninstaller.
http://www.outerinfo.com/OiUninstaller.exe.


3. Please download Qoofix by RubbeR DuckY
http://www.malwarebytes.org/Qoofix.zip
1. Unzip all files to a convenient location such as C:\Qoofix.
2. Go to the folder you unzipped all files and run Qoofix.exe.
3. Click Begin Removal and wait for the scan to finish.
4. If an infection has been found, select yes to restart your computer.
Post the contents of the Qoofix logfile.


4. Finally, run Hijackthis and put a check next to these entries (if they are still present after running the tools) and click "Fix Checked" button:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrd_4.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdd_4.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [Cmte] "C:\DOCUME~1\JRGEN~1\APPLIC~1\STEM~1\wucrtupd.exe" -vt yazr
O4 - HKCU\..\Run: [Xwjd] C:\DOCUME~1\JRGEN~1\APPLIC~1\CROSOF~1\SRVICE~1.EXE
O16 - DPF: {00000000-0000-0000-0000-000020040000} - http://207.234.185.217/ABoxInst_int14.exe
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} - http://advnt01.com/dialer/int_ver34.CAB
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauclt.dll
0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
>>I have a similar problem to the one posed in Q_21878246.html.<<

In what way is it similar to the other Question? that link had smitfraud infection, which is not showing in your log.
Some variants of smitfraud can also hide from hijackthis scan.
If you do have symptoms of smitfraud but files are not showing in your log, you can also run smitfraudfix.

What shows in your log is Alcan worm, qoologic, and outerinfo/purityscan, but some nasties now targets Hijackthis.exe process so they won't show up in the scan.
0
 
LVL 1

Expert Comment

by:lawyerboy780
Comment Utility
Make sure you turn off registry protection such as Adwatch, and other spyware stuff because these tend to thwart your attempts to delete registry entries:  The entry will seem to disappear, but if you move to a different registry branch and then go back to where you deleted an item, voila its still there.  Can be quite aggravating until you realize that your safety precautions are working to protect you from yourself.

Good luck
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now