Author Topic: trojano-169[Trj] (Read 9737 times)

nabil · « **on:** August 24, 2004, 07:15:21 PM »

i have been infected by trojano- 169[Trj]
i have moved it in recycle bin but it refuses empty from the recycle bin.

Please help

Nabil

Eddy · « **Reply #1 on:** August 24, 2004, 07:17:29 PM »

Click on the link in my signature and follow the steps on that page. Take your time to read and do it. If you still have problems after that, let us know.

Kerim · « **Reply #2 on:** August 25, 2004, 11:05:01 AM »

Eddy, thank you for the link.

Me too, I have this trojan 'Win32:Trojano-169 [Trj] ' (on another PC in my LAN) since many days.
I think it is related to 'Win32:Dialui-B [Trj]' that has installed itself in 'C:\pafefile.sys'. At boot Avast also detected the later and asked me about the action, I chose 'Repair' (it failed) then 'Ignore' because it is a Windows file!
By the way, I turned off the XP 'Restore', because I found it also in restore directory.

I run and update in each of my 3 PCs:

Avast! 4 Pro.
SpyBot S&D
SpywareBlaster

I already downloaded Hijackthis v1.98.2

Please feel free in asking me for any information to help me remove safely the two trojans:
Win32:Trojano-169 [Trj] and Win32:Dialui-B [Trj]

Finally here are the lines from aswBoot.txt:

(1)
File C:\System Volume Information\_restore{5B2E10D1-6A99-4CD9-82F4-B49F4ABB53E5}\RP59\A0005469.exe is infected by Win32:Trojano-169 [Trj] - Moved (then deleted)

(2)
File C:\Documents and Settings\A.K\Local Settings\Temporary Internet Files\Content.IE5\MVV45EBU\mfmedia[1].exe is infected by Win32:Trojano-169 [Trj] - Deleted

(3)
File C:\WINDOWS\system32\mfmedia.exe is infected by Win32:Trojan-gen. {VC} - Deleted

(4)
File C:\pagefile.sys is infected by Win32:Dialui-B [Trj] - Repair: Error 42060

Have a nice day.

Kerim

whocares · « **Reply #3 on:** August 25, 2004, 11:11:19 AM »

Hi,

just disable system restore, reboot your PC to safeMode, and then do a full thorough scan with archive scanning enabled..
report results here..

Also post the log of hijackthis, please

P.S.: Have you any resident tasks of Spybot or Ad-Aware enabled ?
or were you scanning with them and AVAST simultaneously, when the alert in pagefile.sys appeared ?

Kerim · « **Reply #4 on:** August 25, 2004, 11:46:43 AM »

Hi whocares (though you do

)

In my above post, 'C:\pafefile.sys' should be 'C:\pagefile.sys'... sorry

'System restore' is already disabled.
Full scan in safe mode?! It seems Avast cannot open C:\pagefile.sys in safe or normal, it reports "path not found"!
Only in boot scan Avast detected (sometimes) the 'Win32:Dialui-B [Trj]' in it.

Since I am not now on the infected PC, soon I will post the log of hijackThis of it. Thank you for asking

You are right, 'teatimer' of Spybot is enabled (I don't run Ad-Aware). By the way, do you think 'teatimer' is running even while Avast scans in boot mode? (because it seems C:\pagefile.sys, a windows file, can be scanned only in this mode as I mentioned in the beginning).

By the way, I noticed in the registry 3 keys about pagefile, one copy is:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Memory Management
ClearPageFileAtShutdown REG_DWORD 0x00000000 (0)

Perhaps if 0 is changed to 1 (in similar keys too) that pagefile.sys could be reset.

Of course, I'll change nothing... only when asked

Kerim

Kerim · « **Reply #5 on:** August 25, 2004, 12:15:52 PM »

Hi again,

Logfile of HijackThis v1.98.1
Scan saved at 1:03:40 PM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\ProgKoko\hijack\HijackThis1_98\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:83
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

Kerim

Eddy · « **Reply #6 on:** August 25, 2004, 12:50:31 PM »

==========================================================================
THESE ITEMS SHOULD BE REMOVED:
==========================================================================
o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o16 - dpf: {b9191f79-5613-4c76-aa2a-398534bb8999} (yaddbook class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

==========================================================================
THESE ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR
THE SYSTEM TO WORK, IT IS RECOMMENDED TO REMOVE THEM:
==========================================================================
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office10\osa.exe
o4 - global startup: winzip quick pick.lnk = c:\program files\winzip\wzqkpick.exe

Kerim · « **Reply #7 on:** August 25, 2004, 01:47:58 PM »

Thank you Eddy.

I'll come back soon.

Kerim · « **Reply #8 on:** August 25, 2004, 01:48:43 PM »

Thank you Eddy

I'll come back soon

Kerim · « **Reply #9 on:** August 25, 2004, 01:53:56 PM »

Hummm... sorry... I noticed that some of my posts are sent twice. Sometimes IE tells me that the post couldn't be sent while it was already sent. $:-\$

Eddy · « **Reply #10 on:** August 25, 2004, 01:58:36 PM »

Refesh the page if that happens and see if it is posted or not before posting it again.

whocares · « **Reply #11 on:** August 25, 2004, 03:03:38 PM »

Quote from: Kerim on August 25, 2004, 12:15:52 PM

O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe

O4 - HKCU\..\Run: [WinXP] C:\WINDOWS\plugin1.exe

Do you know what this is ?
Seems quite a bit suspicious (multiple startups.. and plugins don't usually reside in Windows-folder)
Please scan it online with KAV, RAV & Trend
(See link "VirusRemoval" below in my sig..)

Kerim · « **Reply #12 on:** August 25, 2004, 04:16:36 PM »

Eddy, I will, thank you.

Whocares, you are likely right I'll check about them. I already noticed that 'mfmedia.exe' has something to do with them because when it runs, 'teatimer' of SpyBot shows that an entry of 'plugin1.exe' is added!

On the other hand, I think I found the steps to get rid of 'Trojano-169 [Trj]'
First I noticed that it is reinstalled by 'Win32:Dialui-B [Trj]' that resides in "C:\pagefile.sys".
"C:\pagefile.sys" is an option (Virtual Memory) by Windows (mine is XP) as an extension to the internal RAM.
So before performing boot full scan of "C:\" (by Avast), I disabled first this Vitual Memory:
Start -> Control Panel -> Administrative Tools -> Computer Management
-> [at left, right click] Computer Management (local) -> Properties
-> Advanced -> Performance, Settings -> Virtual Memory, Change.

Before selecting 'No paging file' I took a note about the custom size (Initial and Maximum size) so I can set them again after trojan removal.

I rebooted then deleted, during Avast scan, the files having 'Trojano-169 [Trj]' or 'Win32:Dialui-B [Trj]'

I Shutdowned the PC for few minutes to clear the RAMs (just in case!

)

I turned on the PC and checked that the deleted files don't exist.

My final step was to re-enable the virtual memory to its previous settings.

Obviously from early stages, 'Turn off System Restore' is already checked in System Properties -> System Restore.

Unless I missed something, I thought that writing what I did might help others having the same trojan.

Kerim

Kerim · « **Reply #13 on:** August 25, 2004, 04:57:24 PM »

Hi again,

Just to complete what I start here is the new log (before reading Whocares comment about plugin1.exe)

Logfile of HijackThis v1.98.1
Scan saved at 4:17:54 PM, on 8/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\WINDOWS\plugin1.exe
C:\WINDOWS\plugin1.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\plugin1.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\ProgKoko\hijack\HijackThis1_98\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:83
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [mswspl] C:\WINDOWS\plugin1.exe
O4 - HKLM\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [WinXP] C:\WINDOWS\plugin1.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

Kerim · « **Reply #14 on:** August 26, 2004, 04:46:17 PM »

Hi again,

As expected, both trojans 'Trojano-169 [Trj]' and 'Win32:Dialui-B [Trj]' reapeared today on my PC as if yesterday i did nothing!

But thanks to our friend 'whocares' (#11) I know that 'plugin1.exe' is not a normal windows file. And since it runs at startup, I was almost sure that it has to be the cause of that glorious return of trojans above.

So I followed the following steps:
1- In Spybot S&D (Advanced mode) -> Tools -> System Startup , I unchecked any entry that has 'C:\Windows\plugin1.exe'.
2- I reboot to safe mode.
3- I moved 'C:\Windows\plugin1.exe' (might be deleted). I also moved another similar one 'C:\Windows\plugin4.exe'.

4- I deleted, as an extra precaution, the "Temporary Internet files".
5- Then I disabled the "Virtual memory" as explained in reply #12 above.
6- I rebooted to safe mode once again.
7- I run Avast (in Simple User Interface mode) and chose 'Schedule Boot-time Scan' from its menu.
8- I set "Area to scan" at "Scan selected path" and the "Slected path to scan" to 'C:\', and I checked "Scan archive files".
9- Pressing "Schedule", Avast restarted the computer and scanned 'C:\' at boot-time (of the normal mode).
10- During the scan, I deleted the files having 'Trojano-169 [Trj]' (though this time 'Win32:Dialui-B [Trj]' wasn't detected in C:\pagefile.sys)
11- Then when in normal mode, I moved 'C:\pagefile.sys' (might be deleted).
12- I re-enabled the virtual memory to its previous settings.

After restarting my PC many times and being on Internet for hours, it seems there is no sign of those trojans.

As you see, yesterday I missed one step... taking away 'plugin1.exe'!

Kerim