Win32:Tiny-II [Trj]

[motif80]

Hello all,

I was infected with W32.Mubla.B Sunday last and have as a result had multiple infections over the past week. Most of them I have been able to solve but there is one reccuring trj that has has easily taken me out of my depth (I admit that doesn't take much).

There are various behaviours that I have noticed with this trojan and I shall try and list them:

Firstly an Avast! Warning pops up listing that a trojan was found, the particulars of the warning are this:

File name: "C:\Documents and Settings\[user]\Local Settings\Temporary Internet Files\Content.IE5\39I3D317\yjgibkq[2].htm"
Malware name: Win32:Tiny-II [Trj]
The strange thing is that on searching for the content.IE folder...well I don't have one (or can't see it) in that path...neither can I find the file or folder within.

Next thing I have done is to "move to chest" as avast! recommends, I then receive a response:

"Avast! the system cannot find the file specified"
I press ok and immediately I get another avast! warning about the same Win32:Tiny-II [Trj]. There is only one difference, as I imagine you have already guessed, from the previous warning:

file name: "C:\Documents and Settings\Alex Bailey\Local Settings\Temporary Internet Files\Content.IE5\39I3D317\yjgibkq[2].htm"

My guess is that the trojan creates these folders and files (Content.IE5\[random letters and numbers]\[random letters and numbers].htm) then deletes it and creates another immediately, or perhaps does this when it is detected by avast!?

The second behaviour that seems related (I'm not sure whether it is the same trojan or not) is one of a large number of "suspicious message!" warnings. At any one time i get about 18 of these warnings, I believe that there are some common sender/recipient/subject trails that identify the same infection:

Sender:  "Glenda Haas" <kuielkwood@ka.baynet.ne.jp>
Recipient:  "ocetinnn" <ocetinnn@d-finans.com>
Subject:  No more being shy of your manhood

Sender:  "Ed Mcallister" <nygmandeville@cactimedia.com>
Recipient:  "ocetinnn" <ocetinnn@d-finans.com>; "nsjb_504k" <nsjb_504k@i-next.net>
Subject:  Life is short... so make the most of it

Sender:  "Neil Lester" <wyeloraine@aquamails.com>
Recipient:  "nsj" <nsj@wlu.edu>
Subject:  Be confident and stand tall

Sender:  "Kurt Hurst" <zcrhythm@imv-concept.com>
Recipient:  "nsj" <nsj@wlu.edu>; "numentacaodd" <numentacaodd@balaska.com.br>
Subject:  No more being shy of your manhood

Sender:  "Annmarie Gallagher" <lgglenwhite@CS.com>
Recipient:  "ocetinh" <ocetinh@suratkargo.com>
Subject:  Be careful of cheap imitations

Sender:  "Chris Fontenot" <qbolckow@missconet.com>
Recipient:  "nsjad" <nsjad@wellsfargo.com>
Subject:  Be careful of cheap imitations

Sender:  "Gino Guy" <lvduckwater@frontier.net>
Recipient:  "nixl" <nixl@pegasus-group.com>
Subject:  Significantly increase penis length

Sender:  "Letha Mcmullen" <lakennebunkport@email.vccs.edu>
Recipient:  "ongc.co.indudani_yogesh" <ongc.co.indudani_yogesh@ongc.co.in>
Subject:  Be satisfied for life!

Sender:  "Sybil Holbrook" <ahjasonville@cdba.de>
Recipient:  "numefj" <numefj@ms2.hinet.net>
Subject:  Be confident and stand tall

Sender:  "Joaquin Crump" <kbozoo@newlife-today.com>
Recipient:  "pacshordd" <pacshordd@qdoba.com>
Subject:  All girls like the big guys

the list goes on...I can't recall if the email addresses are the same for every batch of warnings, but most of the messages seem to be about health drugs, sex or spiritual well-being if that helps others identify it on their machine...

I think there must be an .exe somewhere but where that is I have no clue and neither can I tell what the trojan does.

I've tried using the avast! cleaner but it didn't find anything, I've tried searching the internet for this trojan, here, symantec etc but have not found anything on it. I have win xp sp2 I scan my pc with spybot, avast!, windows defender and ad-adware 2007 ever night. I keep everything updated.

All help is appreciated!

cheers

[motif80]

here's the hijackthis log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:44:39, on 27/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\ATKKBService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HiJackThis_v2[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ASUS SmartDoctor] C:\Program Files\ASUS\SmartDoctor\SmartDoctor.exe  /start
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\ALEXBA~1\LOCALS~1\Temp\winlogon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase9602.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159887205696
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1159887194368
O21 - SSODL: printers - {209F0A9A-41BE-424A-927C-19F23617D2B3} - msn.dll (file missing)
O21 - SSODL: antivirus - {AE15C697-D049-408F-901E-C2B20ACFFEB0} - firewallav.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 9042 bytes

[essexboy]

OK lets see if we can clean you up

Please re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\ALEXBA~1\LOCALS~1\Temp\winlogon.exe

Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis. 

Then

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
  
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
  

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

If you have no objections I would like to run a trial analysis programme in tandem with this fix

If that is OK

Please download http://www.runscanner.net/ Runscanner and unzip the file to your desktop
Run Runscanner at the top is a START SCAN button select that
On completion again at the top is an EXPORT RUN FILE button select that and save the file to your desktop
Add that file as an attachment to your next post

[motif80]

essexboy,

I have done as you said, there was only one file to remove using hijackthis. the .logs are attached for the three programs.

thanks for your time.

[essexboy]

scanning hidden files ...

C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(0.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(11.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(25.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(31.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(35.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(4.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(41.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(53.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(6.zip 117982 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(60.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(67.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(82.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(84.zip 115934 bytes hidden from API
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed :(98.zip 115932 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(0.zip 121036 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(10.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(22.zip 117966 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(27.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(3.zip 117964 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(30.zip 117966 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(31.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(39.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(4.zip 117964 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(45.zip 117966 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(52.zip 117966 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(54.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(55.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(59.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(61.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(66.zip 117966 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(67.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(70.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(73.zip 117966 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(77.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(92.zip 121038 bytes hidden from API
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste :(96.zip 117966 bytes hidden from API

scan completed successfully
hidden files: 36

Combofix results

Rerun Runscanner
Locate this line

060 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
------------------------------------------------------------------------------
C:\WINDOWS\system32\firewallav.dll {AE15C697-D049-408F-901E-C2B20ACFFEB0}

Highlight and press the space bar
Then at the top in red will be *delete this key* select that
Close runscanner

Please download the OTMoveIt http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe by OldTimer.
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\1515622ld.exe
C:\WINDOWS\system32\notiffy.dll
C:\WINDOWS\system32\printers.exe
C:\WINDOWS\system32\msn.dll
C:\WINDOWS\system32\firewallav.dll
C:\WINDOWS\Look how wasted Paris Hilton is, after she got jailed
C:\WINDOWS\bak sana  Paris Hilton ne hale gelmis hapiste 

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

On completion of that

Download WinPFind3u.exe  to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

• Close ALL OTHER PROGRAMS.
  
• Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  
• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

[motif80]

ok the key was deleted by runscanner.
OTMoveIt annoyingly encountered an error the first time so I was unable to view the results (graphics went blank), on the second attempt the results were all simply "not found". Presumably OTMoveIt did move those files.

hijackthis log and WinPFind3u log attached.

Did an avast scan as usual last night, it found 3 new wrms/trjs:
Win32:Agent-JDR [trj]
Win32:Agent-JSK [wrm]
Win32:Tibs-BBQ [trj]
looks like i still have a backdoor entrance.

[essexboy]

Sorry for the delay - working on your logs now

[essexboy]

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Files/Folders - Created Within 30 days]
NY -> 1A2.tmp -> %SystemDrive%\1A2.tmp
NY -> 1A3.tmp -> %SystemDrive%\1A3.tmp
NY -> 1A5.tmp~ -> %SystemDrive%\1A5.tmp~
NY -> 1A6.tmp -> %SystemDrive%\1A6.tmp
NY -> 1AD.tmp~ -> %SystemDrive%\1AD.tmp~
NY -> 1AF.tmp -> %SystemDrive%\1AF.tmp
NY -> 1B0.tmp -> %SystemDrive%\1B0.tmp
NY -> 1B1.tmp -> %SystemDrive%\1B1.tmp
NY -> 1B5.tmp -> %SystemDrive%\1B5.tmp
NY -> 1B7.tmp -> %SystemDrive%\1B7.tmp
NY -> 1B9.tmp -> %SystemDrive%\1B9.tmp
NY -> 1BA.tmp -> %SystemDrive%\1BA.tmp
NY -> 1BB.tmp -> %SystemDrive%\1BB.tmp
NY -> 1BE.tmp~ -> %SystemDrive%\1BE.tmp~
NY -> 1BF.tmp -> %SystemDrive%\1BF.tmp
NY -> 1C3.tmp -> %SystemDrive%\1C3.tmp
NY -> 1C4.tmp -> %SystemDrive%\1C4.tmp
NY -> 1C8.tmp -> %SystemDrive%\1C8.tmp
NY -> 1C9.tmp -> %SystemDrive%\1C9.tmp
NY -> 1CB.tmp -> %SystemDrive%\1CB.tmp
NY -> 1CC.tmp -> %SystemDrive%\1CC.tmp
NY -> 1CD.tmp -> %SystemDrive%\1CD.tmp
NY -> 1CE.tmp -> %SystemDrive%\1CE.tmp
NY -> 1CF.tmp -> %SystemDrive%\1CF.tmp
NY -> 1D0.tmp -> %SystemDrive%\1D0.tmp
NY -> 1D1.tmp -> %SystemDrive%\1D1.tmp
NY -> 1D2.tmp -> %SystemDrive%\1D2.tmp
NY -> 1D6.tmp -> %SystemDrive%\1D6.tmp
NY -> 1D7.tmp -> %SystemDrive%\1D7.tmp
NY -> 1DA.tmp -> %SystemDrive%\1DA.tmp
NY -> 1DC.tmp -> %SystemDrive%\1DC.tmp
NY -> 1DE.tmp~ -> %SystemDrive%\1DE.tmp~
NY -> 1DF.tmp -> %SystemDrive%\1DF.tmp
NY -> 1E1.tmp~ -> %SystemDrive%\1E1.tmp~
NY -> 1E2.tmp -> %SystemDrive%\1E2.tmp
NY -> 1E4.tmp~ -> %SystemDrive%\1E4.tmp~
NY -> 1E5.tmp -> %SystemDrive%\1E5.tmp
NY -> 1E9.tmp -> %SystemDrive%\1E9.tmp
NY -> 1EA.tmp -> %SystemDrive%\1EA.tmp
NY -> album16.zip -> %SystemRoot%\album16.zip
NY -> album17.zip -> %SystemRoot%\album17.zip
NY -> album18.zip -> %SystemRoot%\album18.zip
NY -> album25.zip -> %SystemRoot%\album25.zip
NY -> album29.zip -> %SystemRoot%\album29.zip
NY -> album32.zip -> %SystemRoot%\album32.zip
NY -> album35.zip -> %SystemRoot%\album35.zip
NY -> album40.zip -> %SystemRoot%\album40.zip
NY -> album42.zip -> %SystemRoot%\album42.zip
NY -> album5.zip -> %SystemRoot%\album5.zip
NY -> album58.zip -> %SystemRoot%\album58.zip
NY -> album6.zip -> %SystemRoot%\album6.zip
NY -> album61.zip -> %SystemRoot%\album61.zip
NY -> album68.zip -> %SystemRoot%\album68.zip
NY -> album69.zip -> %SystemRoot%\album69.zip
NY -> album71.zip -> %SystemRoot%\album71.zip
NY -> album74.zip -> %SystemRoot%\album74.zip
NY -> album76.zip -> %SystemRoot%\album76.zip
NY -> album77.zip -> %SystemRoot%\album77.zip
NY -> album78.zip -> %SystemRoot%\album78.zip
NY -> album86.zip -> %SystemRoot%\album86.zip
NY -> album88.zip -> %SystemRoot%\album88.zip
NY -> album89.zip -> %SystemRoot%\album89.zip
NY -> images01.zip -> %SystemRoot%\images01.zip
NY -> images013.zip -> %SystemRoot%\images013.zip
NY -> images017.zip -> %SystemRoot%\images017.zip
NY -> images018.zip -> %SystemRoot%\images018.zip
NY -> images019.zip -> %SystemRoot%\images019.zip
NY -> images021.zip -> %SystemRoot%\images021.zip
NY -> images028.zip -> %SystemRoot%\images028.zip
NY -> images029.zip -> %SystemRoot%\images029.zip
NY -> images034.zip -> %SystemRoot%\images034.zip
NY -> images035.zip -> %SystemRoot%\images035.zip
NY -> images054.zip -> %SystemRoot%\images054.zip
NY -> images055.zip -> %SystemRoot%\images055.zip
NY -> images072.zip -> %SystemRoot%\images072.zip
NY -> images074.zip -> %SystemRoot%\images074.zip
NY -> images076.zip -> %SystemRoot%\images076.zip
NY -> images08.zip -> %SystemRoot%\images08.zip
NY -> images082.zip -> %SystemRoot%\images082.zip
NY -> images085.zip -> %SystemRoot%\images085.zip
NY -> images088.zip -> %SystemRoot%\images088.zip
NY -> images09.zip -> %SystemRoot%\images09.zip
NY -> images095.zip -> %SystemRoot%\images095.zip
NY -> photo10.zip -> %SystemRoot%\photo10.zip
NY -> photo13.zip -> %SystemRoot%\photo13.zip
NY -> photo17.zip -> %SystemRoot%\photo17.zip
NY -> photo2.zip -> %SystemRoot%\photo2.zip
NY -> photo27.zip -> %SystemRoot%\photo27.zip
NY -> photo31.zip -> %SystemRoot%\photo31.zip
NY -> photo36.zip -> %SystemRoot%\photo36.zip
NY -> photo40.zip -> %SystemRoot%\photo40.zip
NY -> photo48.zip -> %SystemRoot%\photo48.zip
NY -> photo68.zip -> %SystemRoot%\photo68.zip
NY -> photo70.zip -> %SystemRoot%\photo70.zip
NY -> photo78.zip -> %SystemRoot%\photo78.zip
NY -> photo82.zip -> %SystemRoot%\photo82.zip
NY -> photo83.zip -> %SystemRoot%\photo83.zip
NY -> photo85.zip -> %SystemRoot%\photo85.zip
NY -> photo92.zip -> %SystemRoot%\photo92.zip
NY -> photo94.zip -> %SystemRoot%\photo94.zip
NY -> photo97.zip -> %SystemRoot%\photo97.zip
NY -> photos01.zip -> %SystemRoot%\photos01.zip
NY -> photos013.zip -> %SystemRoot%\photos013.zip
NY -> photos014.zip -> %SystemRoot%\photos014.zip
NY -> photos020.zip -> %SystemRoot%\photos020.zip
NY -> photos025.zip -> %SystemRoot%\photos025.zip
NY -> photos029.zip -> %SystemRoot%\photos029.zip
NY -> photos031.zip -> %SystemRoot%\photos031.zip
NY -> photos034.zip -> %SystemRoot%\photos034.zip
NY -> photos035.zip -> %SystemRoot%\photos035.zip
NY -> photos048.zip -> %SystemRoot%\photos048.zip
NY -> photos05.zip -> %SystemRoot%\photos05.zip
NY -> photos057.zip -> %SystemRoot%\photos057.zip
NY -> photos058.zip -> %SystemRoot%\photos058.zip
NY -> photos064.zip -> %SystemRoot%\photos064.zip
NY -> photos066.zip -> %SystemRoot%\photos066.zip
NY -> photos070.zip -> %SystemRoot%\photos070.zip
NY -> photos071.zip -> %SystemRoot%\photos071.zip
NY -> photos076.zip -> %SystemRoot%\photos076.zip
NY -> photos079.zip -> %SystemRoot%\photos079.zip
NY -> photos080.zip -> %SystemRoot%\photos080.zip
NY -> photos081.zip -> %SystemRoot%\photos081.zip
NY -> photos086.zip -> %SystemRoot%\photos086.zip
NY -> photos088.zip -> %SystemRoot%\photos088.zip
NY -> picture21.zip -> %SystemRoot%\picture21.zip
NY -> picture37.zip -> %SystemRoot%\picture37.zip
NY -> picture49.zip -> %SystemRoot%\picture49.zip
NY -> picture53.zip -> %SystemRoot%\picture53.zip
NY -> picture56.zip -> %SystemRoot%\picture56.zip
NY -> picture66.zip -> %SystemRoot%\picture66.zip
NY -> picture77.zip -> %SystemRoot%\picture77.zip
NY -> picture80.zip -> %SystemRoot%\picture80.zip
NY -> picture83.zip -> %SystemRoot%\picture83.zip
NY -> picture85.zip -> %SystemRoot%\picture85.zip
NY -> picture9.zip -> %SystemRoot%\picture9.zip
NY -> picture90.zip -> %SystemRoot%\picture90.zip
NY -> picture93.zip -> %SystemRoot%\picture93.zip
NY -> pictures016.zip -> %SystemRoot%\pictures016.zip
NY -> pictures020.zip -> %SystemRoot%\pictures020.zip
NY -> pictures022.zip -> %SystemRoot%\pictures022.zip
NY -> pictures030.zip -> %SystemRoot%\pictures030.zip
NY -> pictures036.zip -> %SystemRoot%\pictures036.zip
NY -> pictures037.zip -> %SystemRoot%\pictures037.zip
NY -> pictures039.zip -> %SystemRoot%\pictures039.zip
NY -> pictures043.zip -> %SystemRoot%\pictures043.zip
NY -> pictures049.zip -> %SystemRoot%\pictures049.zip
NY -> pictures057.zip -> %SystemRoot%\pictures057.zip
NY -> pictures058.zip -> %SystemRoot%\pictures058.zip
NY -> pictures064.zip -> %SystemRoot%\pictures064.zip
NY -> pictures068.zip -> %SystemRoot%\pictures068.zip
NY -> pictures069.zip -> %SystemRoot%\pictures069.zip
NY -> pictures071.zip -> %SystemRoot%\pictures071.zip
NY -> pictures072.zip -> %SystemRoot%\pictures072.zip
NY -> pictures073.zip -> %SystemRoot%\pictures073.zip
NY -> pictures079.zip -> %SystemRoot%\pictures079.zip
NY -> pictures086.zip -> %SystemRoot%\pictures086.zip
NY -> pictures092.zip -> %SystemRoot%\pictures092.zip
NY -> pictures098.zip -> %SystemRoot%\pictures098.zip
NY -> DefLib.sys -> %System32%\DefLib.sys

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[essexboy]

That was probably three quarters of the fix if you could post a new winpfind on completion.   My post was to large for the forum 

[motif80]

Sorry for the delay in the reply, I haven't been able to get onto the net for the past few days. In the meantinme I decided to reboot my pc, I seemed to be getting more and more problems but everything is fine now. Thanks for all your help anyway, you guys do a great service.

[essexboy]

No problems we are here to help 

[OZKOM]

please help
i can't remove this malware Win32:Tiny-II [trj] from my pc.can you help me, i have read what you have told to motif80 but, i have downloaded all programs that you write to motif80 and folow the steps that you have discribed ,and i still have a problem whith Win32:Tiny-II [trj].
What shell i do please help.

[polonus]

Hi OSZKOM,

I will start another thread in this forum section: "OZKOM's Win32:Tiny-II [trj] problem", and you put a hijack logfile there in the following posting. Download hijackthis from here:
http://www.spychecker.com/download/download_hijackthis.html
If the logfile.txt does not fit in one post, use several or attach a logfile.txt attachment,


polonus