Author Topic: Help! Win32: Trojan gen {other} repeatedly attacks computer.  (Read 48434 times)

0 Members and 1 Guest are viewing this topic.

CharleyO

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #30 on: May 06, 2009, 08:37:25 PM »
***

This one can be fixed since you no longer use the service :

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.skybroadband.com/

Entries like the one below are almost always bad, are often caused by malware of some type, but there are exceptions. This one is not an exception.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local,
http://www.spyandseek.com/Search.php?search=Search&search_for=proxyoverride   (21st entry in the list)


***

micky77

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #31 on: May 06, 2009, 08:56:54 PM »
Thanks very much CharleyO, i saw that web page last night. I thought leaving that entry till later, if the poster is not being redirected, and security programs update,best leave for now.If its fixed and it interferes with internet connection it could always be restored.Thanks again I really appreciate it  :)

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #32 on: May 06, 2009, 09:02:22 PM »
Hi, Katm!
I know it's a bit late to answer this question and things that I say is repeat of what our experts told and asked you!!

usually, scanning and removing viruses and malwares inside windows is not success because those malwares don't allow av and antispyware to close and then remove and and it's why, myself prefer to use a Live Antivirus disc such Avira Rescue System or Dr.Web LiveCD, these tools allow you to boot your computer without boot from windows and remove all virus and spyware easy, not any locked files because of running virus!.

The Avira AntiVir Rescue System a linux-based application that allows accessing computers that cannot be booted anymore. Thus it is possible to repair a damaged system, to rescue data or to scan the system for virus infections. Just double-click on the rescue system package to burn it to a CD/DVD. You can then use this CD/DVD to boot your computer. The Avira AntiVir Rescue System is updated several times a day so that the most recent security updates are always available. You can download it from here. You can learn how to use it from Here.
After burn it to disc, use it to boot your computer and do a full scan and remove anything that it find.

after using Avira Rescue System, you may back into windows by boot in normal mode.

Download, install and update these programs:

Malwarebytes Antimalware: http://www.malwarebytes.org/mbam.php
SUPERAntiSpyware: http://www.superantispyware.com/
SpyBot S&D: http://www.spybot.info/

scan your computer using them, also try to immunize your windows using SpyBot S&D. During installation of SpyBot S&D disable all residents.

I think the pro version of SUPERAntiSpyware would give you some tools to repair some of critical part of your windows.

Katm! there are one easy way to post your HijackThis Log!!  after scan with HijackThis log, you can save a log file, because it open itself into a notpad, save this log to your hard drive. then when you are writing here a reply, click on "Additional Options", in front of attach, click on browse and then find and select that log file, it must be much easier way to post a full log file here.

Good Luck! I wish you a virus-free life ;) ;D
Twitter: OmidFarhangEn - OS: Manjaro KDE

Katm

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #33 on: May 06, 2009, 09:12:36 PM »
Thanks to you all for all your help and suggestions!!! Really appreciate there are good people like you who try and help out those who clearly arent entirely sure what they're doing with their computers! ;)

Ill certainly try the Avira Rescue out... Though im a bit concerned i will struggle finding a 'clean pc' to download it from (will a laptop be usable or does it have to be pc?). After the problems with mine i'm concerned even the most innocent of my friend's PCs could still be riddled with trouble!

Im pleased to have made some progress and have noticed a visible improvement already in performance. Ive also bought a portable hard drive now so ill backup all my files and remove most of the media type files from this machine.

One thing...every time windows opens i receive 2 popup programme windows which look a little like a dos interface. I think its from a programme called ssdiag...dont think its malicious as it looks like some sort of diagnostic but is there a way to disable this in startup?

Katm

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #34 on: May 06, 2009, 09:13:48 PM »
And just for those interested..here is my Super Antispyware log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/05/2009 at 08:20 PM

Application Version : 4.26.1002

Core Rules Database Version : 3877
Trace Rules Database Version: 1825

Scan type       : Complete Scan
Total Scan Time : 00:51:40

Memory items scanned      : 480
Memory threats detected   : 0
Registry items scanned    : 5385
Registry threats detected : 1
File items scanned        : 21470
File threats detected     : 13

Adware.Tracking Cookie
   C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
   C:\Documents and Settings\Owner\Cookies\owner@smartadserver[1].txt
   .2o7.net [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]
   .adopt.euroclick.com [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]
   .adopt.euroclick.com [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]
   .adopt.euroclick.com [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]
   .adopt.euroclick.com [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]
   .doubleclick.net [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]
   .atdmt.com [ C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\i4dlyr18.default\cookies.txt ]

Trojan.Dropper/Win-NV
   HKLM\Software\Microsoft\Windows\CurrentVersion\Run#sysldtray [ C:\windows\ld08.exe ]

Trojan.Unclassified-Packed/Suspicious
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{C844BBB3-B8E5-49B9-BAFC-D631F57E49CF}\RP595\A0085923.DLL

Trojan.Downloader-Gen
   C:\WINDOWS\SYSTEM32\TWEXT.EXE

Worm.Petch
   C:\WINDOWS\SYSTEM32\USERINIT32.EXE

Trojan.Agent/Gen-WPV
   C:\WINDOWS\TEMP\WPV961241031044.EXE

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #35 on: May 06, 2009, 09:19:59 PM »
well, I've seen you have many infected files in different TEMP folder (such as Windows Temp, Temp in Local Directory, Browser cache and...).
so I think it's not bad to try to clean up ALL of them, you can do it using CClaner. http://www.ccleaner.com/download/downloading
and some advise else that you can use after make sure your computer is clean and you can do them to improve performance.

after a long time that you use your computer or when you install and un-install many program, or even sometimes after removing some malware in your computer. these steps can slow down your computer a bit. there are some usual steps that can help you:

Defragment Hard Drive: you can use "Auslogics Disk Defrag", it's freeware and you can get it from Here

Clean-up Hard Drive: empty temp folders periodically can be useful, there are a program called CCleaner that can do it for you easily and it’s freeware, you can get it from Here

Clean-up Registry: “Auslogics Registry Cleaner” would remove invalid and those keys that are not needed safely and without any risk. It would fix many problems and of course make your windows a few faster.  get it from Here

Defragment Registry: Keeping the registry as compact as possible means better computer performance. As a result, the Registry becomes compact and small, greatly improving your computer performance. “Auslogics Registry Defrag” can do it for you, you can use this as a long time free trial without any problem, get it from Here
« Last Edit: May 06, 2009, 09:24:36 PM by Omid Farhang »
Twitter: OmidFarhangEn - OS: Manjaro KDE

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #36 on: May 06, 2009, 09:30:07 PM »
Ill certainly try the Avira Rescue out... Though im a bit concerned i will struggle finding a 'clean pc' to download it from (will a laptop be usable or does it have to be pc?). After the problems with mine i'm concerned even the most innocent of my friend's PCs could still be riddled with trouble!

Don't worry, no matter a laptop or PC, just you need download the file and born it to disc, even if you have a Mac or Linux, you still can download and born it to disc, but in Mac or Linux you would need to download the "image" file and burn it using the software that Mac or Linux itself has.

Download the Executable (.exe) from Here.
Download the image file (.iso) from here.
Twitter: OmidFarhangEn - OS: Manjaro KDE

micky77

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #37 on: May 06, 2009, 09:47:53 PM »
Really good to see your SAS log, Iwas wondering what happened to TWEXT.EXE and  ld08.exe. This is why its important to post the logs. Do you have a MBAM one ?
As for ssdiag, its seems to be from Sonic Digital media.You can look it to that later.You seemed to have cleaned lots of malware so far. iI am still worried about the 2 entries i asked you to fix

C:\WINDOWS\system32\SYS32DLL.exe

O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL   
 Which may still be  active.

Omid i already posted a download link,the iso download has to be burnt as an image, using nero etc.Copying the iso straight to disc will not work.

You could try downloading from the bad pc ( not recommended )

Another alternative for tonight is to try a couple of online scans ( if your not blocked ), or tomorrow you could try Combo-fix

http://housecall.trendmicro.com/uk/

http://www.eset.com/onlinescan/

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #38 on: May 06, 2009, 09:54:14 PM »
Omid i already posted a download link,the iso download has to be burnt as an image, using nero etc.Copying the iso straight to disc will not work.
I'm sorry micky77, I saw your link and so I mentioned that I'm repeating what experts said before me, I just add .iso file link to download in linux/mac or an infected computer, usually working with .iso file in a infected computer is safer than .exe :)

micky77, I respect all your advise and I never want to disturb your progress. I'm sorry if I doubled your post.
« Last Edit: May 06, 2009, 10:14:13 PM by Omid Farhang »
Twitter: OmidFarhangEn - OS: Manjaro KDE

micky77

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #39 on: May 06, 2009, 10:12:21 PM »
Omid,please do not opologise, I am VERY grateful for your help. You are like me , easily offended. If I knew what i was talking about, I would tell you to clear off  ;D ;D


Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #40 on: May 06, 2009, 10:20:45 PM »
Omid,please do not opologise, I am VERY grateful for your help. You are like me , easily offended. If I knew what i was talking about, I would tell you to clear off  ;D ;D

;)  :-*  ;D
Twitter: OmidFarhangEn - OS: Manjaro KDE

Katm

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #41 on: May 06, 2009, 11:40:38 PM »
I didnt do a scan with MBAM...just SuperAntiSpyware...should i do one now with MBAM?

I got rid of O4 - HKCU\..\Run: [SYS32DLL] SYS32DLL    with HJT

Im not sure how to remove C:\WINDOWS\system32\SYS32DLL.exe ...is it just a matter of finding the file and deleting it? i noticed i couldnt fix anything on the C:\\ drive with HJT

I have CCleaner so will purge my system and then defrag to clean up a bit :)
« Last Edit: May 06, 2009, 11:54:11 PM by Katm »

Offline Omid Farhang

  • Frontend Developer
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1660
  • I wish I could write longer personal text!!
    • Homepage
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #42 on: May 07, 2009, 01:19:29 AM »
I didnt do a scan with MBAM...just SuperAntiSpyware...should i do one now with MBAM?
...
Im not sure how to remove C:\WINDOWS\system32\SYS32DLL.exe

yes, it's highly recommended to scan using MBAM too, it's so much better than SUPERAntiSpyware.

also, if you cannot delete SYS32DLL.exe manually, get help from MBAM to remove it, in MBAM go to "more tools" tab, choose file ASSASSIN, choose SYS32DLL.exe and reboot your computer.

after all use that registry cleaner that I told you about in last post to remove the registry keys related to the remove files. :)

tell me about result and if you could get rid of these or not. I hope you could! ;)
Twitter: OmidFarhangEn - OS: Manjaro KDE

Katm

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #43 on: May 07, 2009, 12:41:57 PM »
Ran an MBAM scan and it found 10 infected files  :-\

Malwarebytes' Anti-Malware 1.36
Database version: 2086
Windows 5.1.2600 Service Pack 3

07/05/2009 11:35:24
mbam-log-2009-05-07 (11-35-24).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153766
Time elapsed: 1 hour(s), 59 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c3221010-0ad7-4c09-b17b-edcffda4b7f9} (Trojan.Banker) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c3221010-0ad7-4c09-b17b-edcffda4b7f9} (Trojan.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\system32\mac32 (Stolen.Data) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\SYS32DLL.exe (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32\cbt.lc (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mac32\cc.lc (Stolen.Data) -> Quarantined and deleted successfully.
C:\WINDOWS\t55ft2692f44.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\ld08.exe (Worm.Koobface) -> Quarantined and deleted successfully.
C:\WINDOWS\9g2234wesdf3dfgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.



Interestingly...whilst that scan was running Avast popped up with 1 virus warning (The SYS32DLL one) and also a rootkit problem both of which i elected to move to the chest....Does that mean that these are fresh viruses or is it just now that theyve been found and they were there all along? I cant understand where these new viruses would be coming from!  :-\

micky77

  • Guest
Re: Help! Win32: Trojan gen {other} repeatedly attacks computer.
« Reply #44 on: May 07, 2009, 05:14:46 PM »
Ok, firstly I apologise, I wrongly assumed you had run MBAM, i should have insisted on seeing the log earlier. As for what it found,most are related to what was already there.SAS removed a registry entry for ld08.exe, but not the file, which is related to SYS32DLL.exe
 I think, and I hope you are nearly there. All the problems that were there at the beginning have hopefully been removed.
I'm not sure what C:\WINDOWS\system32\mac32 , found by MBAM is. Google shows little, it may even be a  false alarm.
As for Avast reporting a rootkit,I think this unlikely. Avast has a habit of calling lots of things rootkits. On the SDFix scan GMER scanned for rootkits and found nothing.

So what I would like you to do now is, first post a HJT log.

Then I would turn off system restore, first. Unfortunately this will remove all restore points, but its possible malware may be in those points
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.

Then run again MBAM and SAS, your first scans were quite lengthy,probably due to the malware. So this time just choose the option ' quick scan '. If anything is found ,please post the logs.