| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 76290 | 2007-01-27 21:36:00 | generic downloader.f trojan removal? | littledevil (11823) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 519867 | 2007-01-27 21:36:00 | i'm running an up to date version of mcafee virus scan, but somehow the above trojan has managed to download and install itself on the hardrive . . . (don't know where from, only websites I was on were legit ones I've been on heaps before) . mcafee picked it up and asked if I wanted to delete or quarentine the file, I clicked 'delete' and it said it cant and check if the file is write-protected . in the end, couldn't delete or quarentine any of it, then whenever I started the computer up i would get a command promt window pop up and an error come up saying an illegal instruction has been encountered . . . cancel that and its all fine, but I can't access the task manager (ctrl + alt + del brings up a message saying it has been disabled by admin) . I've virus scanned the hardrive a couple of times and eventually it picked up some files, which I deleted successfully . now the command prompt isn't coming up, but I'm getting popups / ads, and task manager isn't working . . . . AND I can't find anything on the mcafee website to help me! just says to update all the DAT files, which has been done . the only other thing it says is to turn off system restore, but no instructions after that . obviously there are still files of the trojan left on the hardrive after mcafee cleaning it, is there anything anyone knows of which can fix this?? im hoping to be able to use the computer over the next few days without having to worry about it so if I can get a fix that'd be good, but may have to wait until tuesday to get someone to look at it . any help would be appreciated!! thanks . |
littledevil (11823) | ||
| 519868 | 2007-01-27 21:44:00 | Get hijackthis (www.merijn.org) if u can. From here (www.merijn.org) Unzip it put it in its own folder then run it click on scan and save a log. Post the log here. |
Speedy Gonzales (78) | ||
| 519869 | 2007-01-27 22:06:00 | thanks for the quick response. the only other errors I'm getting is IE saying it needs to be closed because of an error (the window where you choose to send a error report to microsoft or not, cant remember exact wording sorry), and every so often mcafee picks up a few PUP's (pretty sure one of these was "hpztsb0 5.exe" IIRC). hasn't come up with any the last couple of times the computer has been started up though. log file as follows... ================================================== === Logfile of HijackThis v1.99.1 Scan saved at 10:54:16 a.m., on 28/01/2007 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\nvsvc32.exe C:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\McAfee.com\VSO\oasclnt.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe C:\WINDOWS\System32\RUNDLL32.EXE C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stuff.co.nz/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {0DEC546E-B722-F5C7-AC78-0A402ED848E8} - C:\WINDOWS\System32\jeobeog.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 5.exe O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [yuyjdig.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Matt\Local Settings\Application Data\yuyjdig.dll",xbsccpf O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - go.microsoft.com O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - download.mcafee.com O16 - DPF: {A2505C6C-6F17-456F-89D2-4301FBDC6EC7} (Iewiper Control) - www.express.apn.co.nz O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - download.mcafee.com O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Games\Dopewars\dopewars.exe (file missing) O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe |
littledevil (11823) | ||
| 519870 | 2007-01-27 22:19:00 | OK, run HJT again, tick these entries and tick fix checked. (Close browser/s first) O2 - BHO: (no name) - {0DEC546E-B722-F5C7-AC78-0A402ED848E8} - C:\WINDOWS\System32\jeobeog.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup Uninstall this version of Java, and ALL previous versions if any are installed. And download and install the latest version (sdlc5a.sun.com 1EABB3C065D) (the first link 12.56mb). I would also get ccleaner (www.ccleaner.com) Download this install and run. Then click on run ccleaner. (You may have to close browsers before u do this too) O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe This entry looks suss. O4 - HKLM\..\Run: [yuyjdig.dll] C:\WINDOWS\System32\rundll32.exe "C:\Documents and Settings\Matt\Local Settings\Application Data\yuyjdig.dll",xbsccpf - Things dont usually run from this folder. O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Games\Dopewars\dopewars.exe (file missing) Then reboot, then see if its still there. Hopefully it isnt. Also try Spybot (www.spybot.info) And get the detection updates as well. Install the program then the updates, then do a scan, remove anything it brings up. |
Speedy Gonzales (78) | ||
| 519871 | 2007-01-27 22:32:00 | And upgrade to Service Pack 2, security updates for SP1 are no longer being released. | gcarmich (10068) | ||
| 519872 | 2007-01-27 22:35:00 | And upgrade to Service Pack 2, security updates for SP1 are no longer being released. If u do install SP2, MAKE SURE this downloader has been removed FIRST I would also install some kind of firewall. |
Speedy Gonzales (78) | ||
| 519873 | 2007-01-28 01:12:00 | Uninstall this version of Java, and ALL previous versions if any are installed . how do I uninstall java? would it be in "add/remove programmes"? all I can find in there is a couple of updates for "j2se" . do I just uninstall them? otherwise where else do I uninstall java from? the link for the new java doesn't take me to a page with downloads on, I've registered, then at the bottom of the downloads page theres a section for java . when I click on "java and technologies" is it the first link/download on that page? sorry for the confusion . . . I would also get ccleaner (www . ccleaner . com) Download this install and run . Then click on run ccleaner . (You may have to close browsers before u do this too) O4 - HKLM\ . . \Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1 . 5 . 0_09\bin\jusched . exe" O4 - HKLM\ . . \Run: [SoundMan] SOUNDMAN . EXE O4 - HKLM\ . . \Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask . exe" -atboottime O4 - HKLM\ . . \Run: [nwiz] nwiz . exe /install O4 - HKLM\ . . \Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck . exe should I delete/clean the above files/directories once I've run ccleaner? This entry looks suss . O4 - HKLM\ . . \Run: [yuyjdig . dll] C:\WINDOWS\System32\rundll32 . exe "C:\Documents and Settings\Matt\Local Settings\Application Data\yuyjdig . dll",xbsccpf - Things dont usually run from this folder . O23 - Service: dopewars server (dopewars-server) - Unknown owner - C:\Games\Dopewars\dopewars . exe (file missing) and delete these too? that dopewars one may have been a failed uninstall I done on the game, so if I can get rid of that it'd be good . once this is all fixed up i'll upgrade to the SP2 . thanks for your help, much appreciated!! |
littledevil (11823) | ||
| 519874 | 2007-01-28 01:21:00 | how do I uninstall java? would it be in "add/remove programmes"? all I can find in there is a couple of updates for "j2se" which has the same icon as java...I assume they're updates for java. Thats right the entries for Java in add/remove programs start with Java(TM) or J2SE. Run hijackthis again and tick all the entries I posted previously FIRST, (close the browser/s first). Then uninstall all versions of Java (u may have to reboot) No dont delete the folders for the entries in the log. Some of them still have programs in them. Most of the entries in the startup bit are so they run on startup. Ticking the entries doesn't remove the whole program. |
Speedy Gonzales (78) | ||
| 519875 | 2007-01-28 01:41:00 | ah sweet, so uninstalling the updates will remove java too? i've 'fix' all the entries you mentioned through HJT now, so just need to reinstall java and download the other programmes now. can you please confirm which java file i'm supposed to be downloading from that website? that link you gave doesn't take me to a download page... thanks again. hopefully will be sorted this time! |
littledevil (11823) | ||
| 519876 | 2007-01-28 01:51:00 | ah sweet, so uninstalling the updates will remove java too? i've 'fix' all the entries you mentioned through HJT now, so just need to reinstall java and download the other programmes now . can you please confirm which java file i'm supposed to be downloading from that website? that link you gave doesn't take me to a download page . . . thanks again . hopefully will be sorted this time! Dont forget to click on fix checked in HJT too when u select the entries I posted . No if there's more than 1 Java entry in add/remove programs, you'll have to uninstall ALL entries relating to Java in add/remove programs . The version u want is here ( . sun . com/ECom/EComActionServlet;jsessionid=C0F668247AD241A487B0F" target="_blank">sdlc5d . sun . com 4AFA43B3054) The first one jre-6-windows-i586 . exe 12 . 26mb That url I gave is the download page u have to accept before u download |
Speedy Gonzales (78) | ||
| 1 2 3 | |||||