Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse collected 5.L [RESOLVED]


  • This topic is locked This topic is locked

#16
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\WINDOWS\System32\xpjava.exe
  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

Advertisements


#17
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Xpjava.exe fixed and deleted.

Logfile of HijackThis v1.99.1
Scan saved at 2:37:06 PM, on 9/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xtra.co.nz/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.c...es/MsnInstC.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcaf...90/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe

Edited by Ace17, 01 September 2005 - 08:47 PM.

  • 0

#18
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren
  • 0

#19
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Thought i should mention... theres this other a Generic. Downloader Trojan that i got around the same time as the Collected 5.1 one. All the Generic ones does is bring up a page "Babysandra.com" but it does set AVG off and it's kind of annoying. Theres also a telcomma thing on the HJT log, it was on task manager yesterday, but it's gone today... apart from then, i'd never even seen it before.

One other things.. i keep getting this box...

Generic Host Process for Win32 Services has encountered a problem and needs to close. We are sorry for the inconvenience.

I have the option to "send error report" or "don't send".. no matter which i click, the box disappears and either my IE browser closes, or the entire computer does.

Edited by Ace17, 01 September 2005 - 09:12 PM.

  • 0

#20
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#21
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I already did that scan, it didn't detect the babysandra file, neither does HJT.

I read somewhere that the Babysandra file is connected to mousecm in the registry aswell as the Telcomm things found in HJT, couldn't i just remove it by "fixing" the Telcomm line in HJT and deleting the files??

Edited by Ace17, 01 September 2005 - 09:39 PM.

  • 0

#22
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Run AVG then and try to get me a full path to the file.

Trevuren
  • 0

#23
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Here you go...

msdirectx.sys - Trojan Horse Collected.5.L - C:\Documents and Settings\Administrator\msdirectx.sys

and

mmxbabysandra[1].exe - Trojan Horse Generic.Downloader.LF - C:\Documents and Settings\Sharyn\Local Settings\Temporary Internet Files\Content.IE5\81IJK9YV\mmxbabysandra[1].exe
  • 0

#24
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\Documents and Settings\Administrator\msdirectx.sys
C:\Documents and Settings\Sharyn\Local Settings\Temporary Internet Files\Content.IE5\81IJK9YV\mmxbabysandra[1].exe



* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.


Regards,

Trevuren

  • 0

#25
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
k, i did what you said. Copied, pasted, rebooted, deleted the files... a second later, AVG pops up again and the same babysandra.exe is back, theres like 3 different files it's said it's in... i tried finding two of the files it was supposed to be in but they don't even exist.
  • 0

Advertisements


#26
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please show me all the files that are singled out.

Thanks,

Trevuren

  • 0

#27
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
C:\mmxbabysandra.exe
C:Documents and Settings\Sharyn\Cookies\mmxbabysandra.exe
C:\WINDOWS\system32\config\systemprofile\Cookies\mmxbabysandra.exe

Those 3 actually exists

C:\Documents and Settings\Sharyn\Local Settings\Temporary Internet Files\Content.IE5\81IJK9YV\mmxbabysandra[1].exe

That one doesn't and theres another one like that, that doesn't exist either but i can't get the file name until AVG 'thinks' it's found it again.
  • 0

#28
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download the Killbox.
  • Unzip it to the desktop
  • Double-click Killbox.exe to run it.
  • Select "Delete on Reboot".
  • Place the following line (complete path) in C:\mmxbabysandra.exe in the "Full Path of File to Delete" box in Killbox:
  • Put a mark next to "Delete on Reboot"
  • Click the red-and-white "Delete File" button. Click "Yes" at theDelete on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually

2. Download System Security Suite.Zip file to your Desktop
  • Click on 3ssetup104.zip and a window will open.
  • Click on EXTRACT and choose your Desktop as the destination.
  • Click on setup.exe on your Desktop to install the program.
  • Follow the prompts to complete the installation.
  • Open the program.
  • Check all the boxes under the 'Items to Clear' tab
  • Click 'Clear Selected Items'
  • Reboot your system
3. Try your Antivirus again.

Regards,

Trevuren

  • 0

#29
Ace17

Ace17

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Think i got rid of those files to do with Babysandra... i'm ready to... do whatever it is i was supposed to do to finish.
  • 0

#30
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Re-hide your System Files and Folders to prevent any future accidents.

2. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
  • Right-click "My Computer", and then left click "Properties".
  • Left click on "System Restore Tab"
  • Check box beside "Turn Off System Restore"
  • Left click on "Apply"
TO ENABLE SYSTEM RESTORE
  • Remove check mark from "Turn Off System Restore"
  • Click on "Apply"
Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP