Win32/TrojanDownloader.Small.RR trojan HELP!!!!!

[Leke]

Well well well this virus/trojan or malware is the biggest pain in the buttox.....

Ok i have NOD 32 antivirus and its internet moniter is picking up this virus Win32/trojanDownloader.Small.RR Trojan.

Here are the details of some of the exe's the virus is making and trying to connect to the internet with...

Time Module Object Name Virus Action User Info
8/9/2004 21:04:43 PM AMON file C:\WINDOWS\System32\2tppexgdf8.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
8/9/2004 21:03:42 PM AMON file C:\WINDOWS\System32\7tdief1ucwj.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
8/9/2004 21:02:39 PM AMON file C:\WINDOWS\System32\0emg1x57fhmkb.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
8/9/2004 21:01:56 PM AMON file C:\WINDOWS\System32\p7kp19y37a.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
8/9/2004 21:01:55 PM AMON file C:\WINDOWS\System32\ux3wiv1yln.exe Win32/TrojanDownloader.Small.RR

I have run Adware 6, i ran Spybot, i ran NOD 32 virus scanner , i ran trend micro's Housecall and NOTHING will detect or get rid of it. The only reason i know its a virus cause the internet moniter somehow detects it cause its trying to connect to some server named t34rulit.com

My firewall Sygate Pro has also detected the exe's trying to connect here are the details

08/09/2004 18:04:12 Blocked 3 Outgoing TCP t34rulit.com [69.31.85.148] 00-09-F3-06-36-72 80 211.26.8.253 00-09-F3-06-36-74 2151 C:\WINDOWS\system32\zvaaf6e99z.exe Paul Nirvak HOME-NEXDJ8RT1T Normal 3 08/09/2004 18:03:34 08/09/2004 18:03:42 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_101

I did a backtrace on the server t34rulit.com and it comes up with these 2 companies.

nLayer Communications, Inc. NLYR-ARIN-BLK2 (NET-69-31-0-0-1)
69.31.0.0 - 69.31.143.255
Pilosoft, Inc. NLYR-69-31-80-0-1 (NET-69-31-80-0-1)
69.31.80.0 - 69.31.87.255

So can someone PLEASE EXPLAIN HOW I GET RID OF THIS ANNOYING PEICE OF S#@^ . thank you

The nod32 antivirus detector AMon continually popps up with random exe files being infected and they all wanna connect to the internet. It causes serious lag on online gaming !!! the virus has somehow made over 90 exe's files but they dont exist i have tried searching for them and yes i have changed hidden file options plus the system files shown.

[illukka]

well what is your operation system? i assume it is win xp.
check your task manager( press ctrl+alt+del, processes tab) if there are processes like
C:\WINDOWS\System32\ux3wiv1yln.exe
you know, randomly named exes. if you find any, highlight that process, then click on end process.. reboot into safe mode(tap f8 at boot) and do a full system scan with nod32, allowing it to clean or delete infections found.
if this doesn't work will have to do a little more..

[Leke]

yes my operating system is Windows XP pro

There is no exe files in the task manager. They only appear every so often with a different name each time. Example 2tppexgdf8.exe then 7tdief1ucwj.exe . Its adsif something is creating these files to connect to that server. Is it possible its another virus that no ones aware of yet ?

My firewall is blocking the created exe's from connecting its blocked its out-going traffic. Then the exe files disapear and a new one creates itself to try again and connect to the same server wich in my case is

t34rulit.com [69.31.85.148]

Yes i did the f8 into safe mode and ran my NOD32 virus scan. It detected nothing.

Looks like i will be doing a little more ?? wat else is there.

[illukka]

looks like i'll need your hijackthis log to work with.

Please do this.
Download 'Hijack This!'. http://www.spywareinfo.com/~merijn/files/hijackthis.zip
Unzip to a convenient permanent folder, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log,Open with notepad, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.Someone here will be happy to analyze the results for you

[Leke]

Logfile of HijackThis v1.98.2
Scan saved at 1:08:15 AM, on 8/10/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\0dzv6n2di0y9.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab
O20 - AppInit_DLLs: 6ti53r1mcgi.tlb

[illukka]

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\0dzv6n2di0y9.dll (file missing) is this cwsearch variant
http://www.wilderssecurity.com/showp...5&postcount=28

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O20 - AppInit_DLLs: 6ti53r1mcgi.tlb

fix those above, delete associated files.
pay special attention to what Pieter wrote in that link

try to scan with trend micro online scanner

also see how did i get infected in the first place

if you encounter any further trobles with this try posting you hjt log at computer cops for instance

[Leke]

ok cool as man thanx heaps for everyones help. that Hijackthis program i think made it go away completly i think it was a virus but was gone but the registry was still tryin to conect to it and making it screw around all time.

the exe's arnt creating themselfs anymore its fine and nod 32 AMon virus detector doesent keep popping up with virus detection

plus the firewall is'nt seeing the exe's trying to connect anymore.

i did a new virus scan awith latest signatures just about 20 mins ago and it did'nt pik anything up so i think i'm all good now.

again thanx all . you guys were the quickedst to respond and get results outa 3 support forums congrats.

cya's have a good one.

[illukka]

Quote:

Originally Posted by Leke

get results outa 3 support forums congrats.

that is one of the reason why wilders stopped doing unrequested hijack logs.. the flood of logs at various forums, and the same logs being posted at all hijack help forums by the same people-> same log being fixed at every forum, when those hjt experts would've been better spending their time on logs which were not answered anywhere.. thats a terrible waste of someones time

Hi,I have the same problem that had "Leke".My computer try connect to the server t34rulit.com.Can you help me?
This is my log made with "HijackThis".

Logfile of HijackThis v1.98.2
Scan saved at 16.43.21, on 21/08/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\mysql\bin\mysqld-max-nt.exe
C:\Programmi\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\michele\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\hvka543xy5rcmu.dll (file missing)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [xvwiz32] C:\WINDOWS\system32\xvwizard32.hta
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmi\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: Registrazione elettronica Corel® - Corel® Custom Photo.lnk = C:\Programmi\Corel\Custom Photo\Register\Remind32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
O18 - Filter: text/plain - (no CLSID) - (no file)
O20 - AppInit_DLLs: yy15e7u8764j7.tlb

[snowbound]

Hi michelle

Welcome to Wilders.

Unless specifically asked for by the staff or a Spyware Fighter, we no longer have hijack cleaning services anymore.

More info and help here,

http://www.wilderssecurity.com/showthread.php?t=42149




snowbound

Hi, I've had this AMAZING spyware for the past week and nothing i've tried can remove it. I'm at a total loss for how it's creating these random EXEs and running them exactly...i've downloaded a few programs for listing hidden processes in hopes of finding the culprit parent file, but no luck.

Of course I have all the same problems as Leke, but my "hijackthis" log is clean. This forum is the ONLY place i've found that mentions this problem, so I really hope someone has an idea. Otherwise, I suppose i can just block port 3334 (where it's trying to connect from) and just let it do it's thing in the background. It's the MOST annoying spyware i've ever encountered. Thanks in advance, i'd greatly appreciate any help at all.

Also Michelle, I know lines O2 and O20 from the log should be deleted...and you have some weird directory names ("programmi" and "file comuni"?)

I'm italian and in my operating system these folders to default called so.