[ufrv20]

New member, looking to find out how to remove trojan-downloader-ruin

webroot spysweeper has found it and it keeps generating 5-letter exe files that are flagged to start up the next time i reboot. ever boot cycle i run webroot, but it's getting old. i'm afraid the downloader is going to let some more malware onto my pc.

I see I'm not the first one to post a thread about this particular malware, but i can't seem to find any resolved threads.

Any advice?

[Advertisements]

We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by tampabelle, 30 September 2005 - 01:46 PM.

[tampabelle]

We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

Edited by tampabelle, 30 September 2005 - 01:46 PM.

[ufrv20]

Here are my results! Thanks for looking into this!

Logfile of HijackThis v1.99.1
Scan saved at 6:24:00 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\lssas.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\TrojanHunter 4.2\TrojanHunter.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Everybody\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dmxrp.exe] C:\WINDOWS\System32\dmxrp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{06385FAD-C8D4-4181-AD1B-848E590D1AFC}: NameServer = 85.255.113.109,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F53FD5A0-BFCF-4E2E-AF1C-81CDB2E23143}: NameServer = 85.255.113.109,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{06385FAD-C8D4-4181-AD1B-848E590D1AFC}: NameServer = 85.255.113.109,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{06385FAD-C8D4-4181-AD1B-848E590D1AFC}: NameServer = 85.255.113.109,85.255.112.8
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netbios Helper Service - Unknown owner - C:\WINDOWS\system32\altsvc.exe (file missing)
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[tampabelle]

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp


2. Remove Infections

Click on Start ---> Run. Type Services.msc and hit enter. Locate the item - Netbios Helper Service. Right click on it and then click on properties. In the Startup Type choose the option Disable.

Similarly disable the service - Network DDE Connections


Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [dmxrp.exe] C:\WINDOWS\System32\dmxrp.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{06385FAD-C8D4-4181-AD1B-848E590D1AFC}: NameServer = 85.255.113.109,85.255.112.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{F53FD5A0-BFCF-4E2E-AF1C-81CDB2E23143}: NameServer = 85.255.113.109,85.255.112.8
O17 - HKLM\System\CS1\Services\Tcpip\..\{06385FAD-C8D4-4181-AD1B-848E590D1AFC}: NameServer = 85.255.113.109,85.255.112.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{06385FAD-C8D4-4181-AD1B-848E590D1AFC}: NameServer = 85.255.113.109,85.255.112.8

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Files
C:\WINDOWS\System32\dmxrp.exe
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\lssas.exe

Run CleanUp and delete all temp files including temporary internet files

Run Hijack This again. Click on config ---> Misc Tools ----> Delete an NT Service. Type in - Netbios Helper Service - and hit enter. Similarly delete the service - NETDDEC.

Reboot the PC in Normal Mode.

Please visit Panda and do an online scan. Save the scan report.

Run Hijack This and post a fresh HJT log along with Panda scan report.

[ufrv20]

Here's the HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:13:39 PM, on 10/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Everybody\Desktop\HiJack This!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network DDE Connections (NETDDEC) - Unknown owner - C:\WINDOWS\system32\service.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

And HERE are the Panda Activescan results:


Incident Status Location

Adware:adware/cws No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url
Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini
Virus:W32/Randon.CO.worm Disinfected C:\WINDOWS\system32\ms32.dll
Virus:Bck/mIRCBased.F Disinfected C:\WINDOWS\system32\msthost.exe.tcf
Virus:W32/Randon.CO.worm Disinfected C:\WINDOWS\system32\qos.dll

[tampabelle]

Run Hijack This. Click on config ---> Misc Tools ----> Delete an NT Service. Type in - NETDDEC - and hit enter.


Delete the files -

C:\Documents and Settings\All Users\Favorites\AdultGambling.url
C:\WINDOWS\rdt.ini
C:\WINDOWS\system32\ms32.dll
C:\WINDOWS\system32\msthost.exe.tcf
C:\WINDOWS\system32\qos.dll


Reboot the PC and let me know how your PC is behaving now !!!!!!!!

[ufrv20]

i think during the course of the last step, something went wrong. i'm now not able to use xp style buttons any longer, and some programs no longer run. i'm pretty sure i deleted the correct service.exe file but i can't help but think they're somehow related.... i'll continue with the next step, but several things aren't working that did a few minutes ago, and i followed these steps to the T, any advice?

[tampabelle]

service.exe is a bad file.

Services.exe is a system file.

In case you deleted services.exe, then you can copy it from c:\windows\system32\dllcache folder to c:\windows\system32 folder.

The dllcache folder is a hidden folder. To view hidden files and folders, read this page - http://www.bleepingc...tutorial62.html

[ufrv20]

the last 3 files didn't exist in the sys32 folder.

[ufrv20]

in response to the services.exe file. it looks like it's still in place. interesting my dungeon siege 2 gets stuck at the splash screen and some of the windows xp visual settings are no longer available. i can't seem to think of what else could be responsible for that.

[ufrv20]

in addition, the first time i try to run int explorer, it asks me to work offline or try again to work online...

[tampabelle]

Click on Start ---> Run. Type in -

cmd

and hit enter.


A DOS Window will open. Type the following commands -


ipconfig /release
ipconfig /flushdns
ipconfig /renew


Reboot the PC.


Let me know how your IE is behaving now

[ufrv20]

IE Seems to be behaving fine. it still asks me the same question after a reboot if i want to work offline or try to connect to the internet again. thank you for the help of removing this virus, but the repercussions of whatever has happened during this process are too great. so many little things aren't working that used to or should within my windows framework.

[tampabelle]

What version of Windows XP are you using ?? XP Home or XP Pro ??

Do you have the Windows XP CD with you ???