trojan dropper help

Discussion in 'Windows - Virus and spyware problems' started by paddybong, Nov 23, 2009.

  1. paddybong

    paddybong Regular member

    Joined:
    Jan 21, 2009
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    26
    Today, 09:23 PM

    hi lads anyone help with this one,malwarebytes found Trojan.dropper and Trojan fakealert,i delete them both and reboot PC done another scan and there back,turned of system restore done scan there still there.

    Files Infected:
    C:\Windows\system32\msxml71.dll (Trojan.FakeAlert) .
    C:\Users\user\AppData\Local\Temp\a.exe (Trojan.Dropper).

    thanks paddy
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:26:37, on 23/11/2009
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v8.00 (8.00.6001.18828)
    Boot mode: Normal

    Running processes:
    C:\Windows\System32\smss.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\csrss.exe
    C:\Windows\system32\services.exe
    C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\winlogon.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\bcmwltry.exe
    C:\Windows\System32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
    C:\Windows\system32\aestsrv.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    C:\Windows\system32\STacSV.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\ThreatFire\TFService.exe
    C:\Users\user\AppData\Local\TVersity\Media Server\MediaServer.exe
    C:\Windows\System32\svchost.exe
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    C:\Windows\OEM02Mon.exe
    C:\Windows\WindowsMobile\wmdc.exe
    C:\Program Files\Windows Media Player\wmpnscfg.exe
    C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\ThreatFire\TFTray.exe
    C:\Program Files\TomTom HOME\TomTomHOME.exe
    C:\Windows\System32\rundll32.exe
    C:\Program Files\Dell Support Center\bin\sprtcmd.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\SGPSA\ie3sh.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Windows\ehome\ehtray.exe
    C:\Windows\system32\svchost.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Windows\System32\mobsync.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Dell Start Page
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\s wg.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
    O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
    O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
    O4 - HKLM\..\Run: [Smart Start UP] C:\Program Files\NewSoft\Smart Start UP\PnPDetect.exe /Automation
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
    O4 - HKLM\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKLM\..\Run: [FBSSA] C:\Program Files\SGPSA\ie3sh.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: QuickSet.lnk = ?
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
    O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
    O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
    O13 - Gopher Prefix:
    O16 - DPF: {1C855A0E-34AF-4660-A2FD-66A82A57D14B} (XExcuter Class) - http://dload0.liveblockauctions.com/.../lgbexec_3.cab
    O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanage...ex-2.2.5.0.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos...ineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
    O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
    O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Desktop Manager 5.9.909.30391 (GoogleDesktopManager-093009-130223) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Roxio\Roxio MyDVD DE\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
    O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\user\AppData\Local\TVersity\Media Server\MediaServer.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
     
    paddybong, Nov 23, 2009
    #1
  2. syxguns

    syxguns Active member

    Joined:
    Jan 13, 2006
    Messages:
    1,378
    Likes Received:
    4
    Trophy Points:
    68
    Wow, that HjT log is long!! Let's try to shorten it quite a bit before I take the time to really look at it. We are going to download a few programs. This post is going to be long, so I would suggest that you highlight everything then press Ctrl + C to copy it. Open Notepad or MS Word and press Ctrl + V to paste it, and then feel free to print so you have something to follow!

    ERUNT & NTREGOPT (in same download of ERUNT) This program is a complete registry backup. I even have it set to run a backup every time I restart my machine. It stores the backups by date in a folder called ERDNT on your hard drive located at C:\Windows I highly recommend this program to everyone. Link to ERUNT

    SUPERAntiSpyware Link

    CCleaner Link Two things to remember when running this program. First make sure to back up your registry with ERUNT. Second remember to run the cleaner on each step two or three times, to ensure all items are removed. You do not need to save a backup of your registry with CCleaner because ERUNT will have a full registry backed up before you even run it.

    EndItAll2 Link We may not even need to use this program, but it is a nice little tool to have. It will show you all processes running on your machine and you may kill the process if you wish.

    After all programs are downloaded make sure that SUPERAntiSpyware has the latest definition updates. Now run the program ERUNT to get a complete backup of your current registry. It will ask you if you would like to change the default name for the folder to save the backup in, but I always keep it at ERDNT.

    Make sure to turn off system restore before we go any further. This may be turned back on later. Click the Start icon and scroll up to "Computer". Right click "Computer" and select "Properties". Now select the "System Protection" link on the left hand side. Now uncheck all drives that may be selected for system restore, and you will be presented with a box that says, "Are you sure you want to turn System Restore off", click the button that says the same thing!! You may turn that back on after your system is repaired.

    Now that all programs are updated and installed reboot your machine into safe mode: Press F8 repeatedly during boot. This will bring you to a screen where you may tell the computer to start in Safe Mode.

    NOTE: Safe Mode does not run any programs except for Windows system files. Once you are up and in safe mode follow these steps (ignore the quotation marks, they are just there so you know what to type!):

    1) Click Start icon and in the little text box type "msconfig". You will then see under Programs "msconfig", select that to open it. Vista is going to ask you for a User name and Password. You will need to have the Admin User name and password to continue.

    2) Select the tab at the top that says "Startup" Scroll down the list and make sure that "msxml71.dll" and "a.exe" are not selected. They should not be in that list and I just want to ensure that they are not.

    3) Now select the tab "Services" and make sure that they are not selected in there. Hopefully you did not have to deselect anything! Now open the "Task Manager" by selecting Ctrl + Alt + Esc to make sure the process is not running under the process tab.

    4) Now open EndItAll2 and after it scans it will give you a display of all running processes. Make sure the two files do not show up. If they do, then highlight the process and tell it to kill it.

    5)Show hidden files and folders follow the steps.

    A. Close all programs so that you are at your desktop.

    B. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.

    C. Click on the Control Panel menu option.

    D. When the control panel opens you can either be in Classic View or Control Panel Home view:

    If you are in the Classic View do the following:
    1. Double-click on the Folder Options icon.
    2. Click on the View tab.
    3. Go to step 5.

    If you are in the Control Panel Home view do the following:
    1. Click on the Appearance and Personalization link .
    2. Click on Show Hidden Files or Folders.
    3. Go to step 5.

    E. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

    F. Remove the checkmark from the checkbox labeled Hide extensions for known file types.

    G. Remove the checkmark from the checkbox labeled Hide protected operating system files.

    H. Press the Apply button and then the OK button and shutdown My Computer.

    I. Now Windows Vista is configured to show all hidden files.

    6) Now select the Start icon and click the tab called "Computer" Now select the C:\ drive and all of the folder following. C:\Users\user\AppData\Local\Temp. Delete all folders in the Temp folder. Hey they were just temporary anyway!! :p

    You may go back and reverse the "Show all hidden files and folders" whenever you like!

    7) Now run SUPERAntiSpyware and remove all that it finds.

    8) Now run CCleaner, remember that you already have a backup of your registry so you do not need to save a backup. Remember to also run both test at least 3 times or until it does not find anything to remove.

    9) Now run malwarebytes and see if it still finds the guys. I'm hoping the SUPERAntiSpyware and CCleaner took care of the problems.

    10) you may like turn System Restore back on as well as turning off the show hidden files and folders. After this is done reboot the machine back to standard mode. You may post a new HjT log at this time, unless we were able to nip it in the bud, so to say!!
     
    Last edited: Dec 5, 2009
    syxguns, Dec 5, 2009
    #2
  3. paddybong

    paddybong Regular member

    Joined:
    Jan 21, 2009
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    26
    thanks i got it sorted true avira,and all is clean to date,thanks for ur reply.

    paddy.
     
    paddybong, Dec 5, 2009
    #3

Share This Page