Trojan Reproducing >.<

Xamata · 07-19-2008, 12:43 PM

Windows XP Pro
Computer bout 2 yrs old hardware
Computer clean of any threats until this problem.

- Usually very careful but I clicked a "Adobe Flash" Icon thing thinking it some sort of net player, lo and behold it's a virus.
- Wipes system restore points, changes and locks my background removing the tab in display properties to change desktop, and now the last thing it is doing is producing trojan files in my system32 everytime my computer boots, which could be key loggers or anything really, I only notice the virus by seeing these files created and running at windows startup in system32, and when I use a search engine it likes to redirect my search links to other search engines as the only virus symptom I see.
- I've ran AVG, Spybot Search & Destroy, PC Tools (Registry Cleaner & Spyware Doctor). Ran these in safemode also and tried to delete the virus files there but I cannot find the one reproducing.
- I believe the virus creates random 8 word, .exe files in the system32 which all do the same thing, the properties of this file have what seems like display/theme options I can't figure out what it all does but pretty certain its a virus file, the scans always pick it up after it is created.

So far, I ran taskmanager, found an 8word random process, and searched for it, only finding a .pf file in the prefetch windows folder, from what I read these just load things faster, but the search showed no other file for the .exe virus file I found in the taskmanager. Going to try deleting my .pf files in safemode and rebooting.

Any help would be greatly appreciated, wouldn't want any keyloggers getting my info :/ just need to find where the last file is hiding somehow I think.

Xamata · 07-19-2008, 01:29 PM

pwxqlexg.exe found in my c:/local doc settings/all users/application data/random 8 word file (h.... something)

this file did not turn up in searches until I included more than just folders and files in the file search options. There was another folder with similar crap in program files which I found easy a day or so ago.

:/ not sure how anyone normal would fight this crap I think I finally got it, random file names that dodged so many searches, really had to get in there and look through every file that was changed since the incident. Evil trojans!

.. um scrap that, still getting redirected on my google searches :/ what and where can I find viruses that redirect your web browsing? I think it's just in IE and not firefox also.
*Note smartbizsearch.com is one the redirects than I think it goes to one of it's links for my search topic? o.0

**Glaswegian** · 07-19-2008, 01:57 PM

Hi

Please start here and follow the instructions.

http://www.techsupportforum.com/secu...sting-log.html

If you cannot complete any of the Steps, simply move on to the next one - remember to let the Analyst know about this when you post your logs.

Do not post your logs back in this thread - follow the guidance in the above link!

Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply - it may take a few days.

Xamata · 07-19-2008, 03:13 PM

Well, I ended up taking a split second screenshot and the it's a hijacking search engine called partners.mamma.com or something.
googled it and found topics saying to use "fixwareout" program which many tech supports say to use for issues it seems.
this program reboots and scans the startup cycle eliminating from what I saw, registry files starting the hijacking.

:/ all this must have been a bundle pkg, system overriding, trojans, keyloggers, and site hijacking.

btw, the 5 steps aren't that useful for serious stuff, any scan program can eliminate junk, but anything thats really damaging is more specific and reproductive/hiding from scans.

anyways, seems all fixed now....

*****Is there a way to protect system restore files from being attacked?

meowmeowd · 07-19-2008, 04:51 PM

I think viruses these days are good at messing up system restore, sadly. I'm not a pro with viruses, but after just tackling one myself, I must recommend having a bootable CD (ie Microsoft XP install CD) with Recovery Console.... basically a stripped down version of DOS... navigate to C:WINDOWS and to C:WINDOWS\SYSTEM32 (and any other place you think bad stuff might be), look at files sorted by date (I think command is DIR /OD), and delete all the nasty .dlls and .exes that were just recently introduced-- some which you possibly can't delete from within windows since they are being "used by another process"-- i.e. like WINLOGON or EXPLORER or whatnot. Also use MSCONFIG from the command line to see what processes are in the "STARTUP" section. Those prefetch files, Never been sure about those... don't think that's where the viruses reside though (I think it something windows creates before accessing a file). Apart from that, ask the pros here or at another tech forum.

meowmeowd · 07-19-2008, 04:59 PM

Also... I recommend for everybody Mike Lin's awesome program "Startup Control Panel"... goes beyond MSCONFIG to give you control over what processes are slated to startup on your PC (via the registry). When you have a nasty virus, you can tell from this program, because as you try to delete or disable something from one of the various STARTUP registry areas, it will mysteriously reappear in front of your eyes. That's a sign that one of the processes running on your PC is popping the nasty dll or exe right back into the registry so it will start up when you reboot.

Xamata · 07-19-2008, 11:31 PM

You can delete things in safe mode, instead of using a bootable cd like mentioned or even safe mode command prompt, which I've only ended up using I think to system restore after windows locked me out.
But yes, definitely get yourself registry tools nowadays, any serious virus I've dealt with in the past few years, a scan may stop most things but doesn't seem to eliminate and you never know if the last bit of a virus is going to do damage, like this one after all said and done was just hijacking my search engine, it could have logged my bank account numbers or something. The registry is where viruses like to keep themselves alive now :/ and you'll need tools becuase I got no idea what half the registries do, those file names make no sense to me :P

07-19-2008, 12:43 PM	#1 (permalink)
Xamata Registered User Join Date: Nov 2005 Posts: 27 OS: WinXP Home	Trojan Reproducing >.< Windows XP Pro Computer bout 2 yrs old hardware Computer clean of any threats until this problem. - Usually very careful but I clicked a "Adobe Flash" Icon thing thinking it some sort of net player, lo and behold it's a virus. - Wipes system restore points, changes and locks my background removing the tab in display properties to change desktop, and now the last thing it is doing is producing trojan files in my system32 everytime my computer boots, which could be key loggers or anything really, I only notice the virus by seeing these files created and running at windows startup in system32, and when I use a search engine it likes to redirect my search links to other search engines as the only virus symptom I see. - I've ran AVG, Spybot Search & Destroy, PC Tools (Registry Cleaner & Spyware Doctor). Ran these in safemode also and tried to delete the virus files there but I cannot find the one reproducing. - I believe the virus creates random 8 word, .exe files in the system32 which all do the same thing, the properties of this file have what seems like display/theme options I can't figure out what it all does but pretty certain its a virus file, the scans always pick it up after it is created. So far, I ran taskmanager, found an 8word random process, and searched for it, only finding a .pf file in the prefetch windows folder, from what I read these just load things faster, but the search showed no other file for the .exe virus file I found in the taskmanager. Going to try deleting my .pf files in safemode and rebooting. Any help would be greatly appreciated, wouldn't want any keyloggers getting my info :/ just need to find where the last file is hiding somehow I think.

07-19-2008, 01:29 PM	#2 (permalink)
Xamata Registered User Join Date: Nov 2005 Posts: 27 OS: WinXP Home	Re: Trojan Reproducing >.< pwxqlexg.exe found in my c:/local doc settings/all users/application data/random 8 word file (h.... something) this file did not turn up in searches until I included more than just folders and files in the file search options. There was another folder with similar crap in program files which I found easy a day or so ago. :/ not sure how anyone normal would fight this crap I think I finally got it, random file names that dodged so many searches, really had to get in there and look through every file that was changed since the incident. Evil trojans! .. um scrap that, still getting redirected on my google searches :/ what and where can I find viruses that redirect your web browsing? I think it's just in IE and not firefox also. Note smartbizsearch.com is one the redirects than I think it goes to one of it's links for my search topic? o.0 Last edited by Xamata : 07-19-2008 at 01:33 PM.*

07-19-2008, 01:57 PM	#3 (permalink)
Glaswegian Moderator/ Rangemaster TSF Academy; Analyst, Security Team; Oor Wullie; TSF Surgeon and Resident Comic Join Date: Sep 2005 Location: Glasgow Posts: 21,378 OS: Win XP Pro SP3 My System Blog Entries: 10	Re: Trojan Reproducing >.< Hi Please start here and follow the instructions. http://www.techsupportforum.com/secu...sting-log.html If you cannot complete any of the Steps, simply move on to the next one - remember to let the Analyst know about this when you post your logs. Do not post your logs back in this thread - follow the guidance in the above link! Please note that the Security Forum is always busy, so I would ask for your patience while waiting for a reply - it may take a few days. __________________ Iain - Defender of the Haggis and all things Scottish. I don't help by PM - post in the Forums. Ad-Aware::SpywareBlaster::SpyBot::SpywareGuard::SnoopFree::AVG Free::HOSTS File::HijackThis::Donate::5 Steps For Infected PCs

07-19-2008, 03:13 PM	#4 (permalink)
Xamata Registered User Join Date: Nov 2005 Posts: 27 OS: WinXP Home	Re: Trojan Reproducing >.< Well, I ended up taking a split second screenshot and the it's a hijacking search engine called partners.mamma.com or something. googled it and found topics saying to use "fixwareout" program which many tech supports say to use for issues it seems. this program reboots and scans the startup cycle eliminating from what I saw, registry files starting the hijacking. :/ all this must have been a bundle pkg, system overriding, trojans, keyloggers, and site hijacking. btw, the 5 steps aren't that useful for serious stuff, any scan program can eliminate junk, but anything thats really damaging is more specific and reproductive/hiding from scans. anyways, seems all fixed now.... *****Is there a way to protect system restore files from being attacked?

07-19-2008, 04:51 PM	#5 (permalink)
meowmeowd Registered User Join Date: Jul 2008 Posts: 3 OS: XP SP2	Re: Trojan Reproducing >.< I think viruses these days are good at messing up system restore, sadly. I'm not a pro with viruses, but after just tackling one myself, I must recommend having a bootable CD (ie Microsoft XP install CD) with Recovery Console.... basically a stripped down version of DOS... navigate to C:WINDOWS and to C:WINDOWS\SYSTEM32 (and any other place you think bad stuff might be), look at files sorted by date (I think command is DIR /OD), and delete all the nasty .dlls and .exes that were just recently introduced-- some which you possibly can't delete from within windows since they are being "used by another process"-- i.e. like WINLOGON or EXPLORER or whatnot. Also use MSCONFIG from the command line to see what processes are in the "STARTUP" section. Those prefetch files, Never been sure about those... don't think that's where the viruses reside though (I think it something windows creates before accessing a file). Apart from that, ask the pros here or at another tech forum.

07-19-2008, 04:59 PM	#6 (permalink)
meowmeowd Registered User Join Date: Jul 2008 Posts: 3 OS: XP SP2	Re: Trojan Reproducing >.< Also... I recommend for everybody Mike Lin's awesome program "Startup Control Panel"... goes beyond MSCONFIG to give you control over what processes are slated to startup on your PC (via the registry). When you have a nasty virus, you can tell from this program, because as you try to delete or disable something from one of the various STARTUP registry areas, it will mysteriously reappear in front of your eyes. That's a sign that one of the processes running on your PC is popping the nasty dll or exe right back into the registry so it will start up when you reboot.

07-19-2008, 11:31 PM	#7 (permalink)
Xamata Registered User Join Date: Nov 2005 Posts: 27 OS: WinXP Home	Re: Trojan Reproducing >.< You can delete things in safe mode, instead of using a bootable cd like mentioned or even safe mode command prompt, which I've only ended up using I think to system restore after windows locked me out. But yes, definitely get yourself registry tools nowadays, any serious virus I've dealt with in the past few years, a scan may stop most things but doesn't seem to eliminate and you never know if the last bit of a virus is going to do damage, like this one after all said and done was just hijacking my search engine, it could have logged my bank account numbers or something. The registry is where viruses like to keep themselves alive now :/ and you'll need tools becuase I got no idea what half the registries do, those file names make no sense to me :P