Thread: Help - win32 Trojan
View Single Post
Old 04-27-2007, 12:35 AM   #9 (permalink)
tetonbob
Manager, Security Center, TSF Academy; Analyst, Security Team
 
tetonbob's Avatar
 
Join Date: Jan 2005
Location: Transylvania County, North Carolina, USA
Posts: 35,171
OS: 2000 Pro; XP Pro; XP Home


Re: Help - win32 Trojan
Well, you've caught a pile of nasty there, John....

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

You can read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

Assuming the infected machine is still offline (and off network, if there is one)...

We'll download some tools using a clean machine, and carry them to the infected machine.

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
We'll use this shortly.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop. We'll use this later.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. We'll use this later.

Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop. We'll use this later.

---------------------------------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.

Quote:
@echo off
sc stop "Microsoft IE Updater_2"
sc delete "Microsoft IE Updater_2"
exit
Double click FixServices.bat. A window will open and close. This is normal.

---------------------------------------------------------------------------------------------

Run OTMoveIt
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\winupd_KB65919063.exe
    C:\WINDOWS\system32\winupd_KB58620628.exe
    C:\WINDOWS\system32\winupd_KB69412836.exe
    C:\WINDOWS\system32\winupd_KB08494134.exe
    C:\WINDOWS\system32\winupd_KB26431806.exe
    C:\WINDOWS\system32\winupd_KB56829756.exe
    C:\WINDOWS\system32\winupd_KB59303473.exe
    C:\WINDOWS\system32\winupd_KB70645686.exe
    C:\WINDOWS\system32\winupd_KB08471726.exe
    C:\WINDOWS\system32\winupd_KB90069443.exe
    C:\WINDOWS\system32\winupd_KB90004561.exe
    C:\WINDOWS\system32\winupd_KB44318973.exe
    C:\WINDOWS\system32\winupd_KB78434668.exe
    C:\WINDOWS\system32\winupd_KB85131081.exe
    C:\WINDOWS\system32\winupd_KB17264537.exe
    C:\WINDOWS\system32\winupd_KB89378022.exe
    C:\WINDOWS\system32\winupd_KB77786317.exe
    C:\WINDOWS\system32\winupd_KB98221393.exe
    C:\WINDOWS\system32\winupd_KB81204801.exe
    C:\WINDOWS\system32\winupd_KB72117528.exe
    C:\WINDOWS\system32\winupd_KB18003240.exe
    C:\WINDOWS\system32\winupd_KB11901888.exe
    C:\WINDOWS\system32\winupd_KB92021998.exe
    C:\WINDOWS\system32\winupd_KB40754700.exe
    C:\WINDOWS\system32\winupd_KB56869449.exe
    C:\WINDOWS\system32\winupd_KB94184285.exe
    C:\WINDOWS\system32\winupd_KB04080293.exe
    C:\WINDOWS\System32\888111253.exe
    C:\Documents and Settings\ie_updater.exe

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please post the log from OTMoveIt, located here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they exist (make sure you do not miss any) and click Fix Checked

O4 - HKLM\..\Run: [888111253.exe] C:\WINDOWS\System32\888111253.exe

Close HijackThis now.

---------------------------------------------------------------------------------------------


To run FileFind, please do the following:
  • Click on FileFind.exe
  • Leave the Directory set to C:
  • In the box labeled "File"
    • Enter ip6fw.sys
  • Now click on the "Search" button
  • Once the utility has found the files click on "Export"
  • A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
  • NOTE: The notepad is saved on your C:\ drive as "Export.txt"

---------------------------------------------------------------------------------------------

Now, let's run DSS:
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.

What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

Double-click gmer.exe

Run the program and select the Rootkit tab & make sure the 'Show All' button is unticked. Click the Scan button and let the program do its work. It will produce a log. Copy the log using the Copy button , Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.

---------------------------------------------------------------------------------------------

Please do this next:

Zip up c:\_OTMoveIt\MovedFiles (right click, send to>compressed file) and submit it here:

Please submit it to this site http://www.bleepingcomputer.com/subm....php?channel=4
and include a link to this topic in the message.

---------------------------------------------------------------------------------------------

So, logs from:

OTMoveIt
FileFind
DSS (main.txt and extra.txt)
gmer
__________________
Practice Safe Surfing
Because what you don't know, CAN hurt you.
Proud Member of ASAP since 2005
Proud Member of UNITE since 2006

Microsoft MVP - Consumer Security 2009
tetonbob is offline