Win32/TrojanDownloader.Small.RR trojan HELP!!!!!

Discussion in 'malware problems & news' started by Leke, Aug 9, 2004.

Thread Status:
Not open for further replies.
  1. Leke

    Leke Registered Member

    Joined:
    Aug 9, 2004
    Posts:
    4
    Well well well this virus/trojan or malware is the biggest pain in the buttox.....

    Ok i have NOD 32 antivirus and its internet moniter is picking up this virus Win32/trojanDownloader.Small.RR Trojan.

    Here are the details of some of the exe's the virus is making and trying to connect to the internet with...

    Time Module Object Name Virus Action User Info
    8/9/2004 21:04:43 PM AMON file C:\WINDOWS\System32\2tppexgdf8.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
    8/9/2004 21:03:42 PM AMON file C:\WINDOWS\System32\7tdief1ucwj.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
    8/9/2004 21:02:39 PM AMON file C:\WINDOWS\System32\0emg1x57fhmkb.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
    8/9/2004 21:01:56 PM AMON file C:\WINDOWS\System32\p7kp19y37a.exe Win32/TrojanDownloader.Small.RR trojan HOME-NEXDJ8RT1T\Paul Nirvak
    8/9/2004 21:01:55 PM AMON file C:\WINDOWS\System32\ux3wiv1yln.exe Win32/TrojanDownloader.Small.RR

    I have run Adware 6, i ran Spybot, i ran NOD 32 virus scanner , i ran trend micro's Housecall and NOTHING will detect or get rid of it. The only reason i know its a virus cause the internet moniter somehow detects it cause its trying to connect to some server named t34rulit.com

    My firewall Sygate Pro has also detected the exe's trying to connect here are the details

    08/09/2004 18:04:12 Blocked 3 Outgoing TCP t34rulit.com [69.31.85.148] 00-09-F3-06-36-72 80 211.26.8.253 00-09-F3-06-36-74 2151 C:\WINDOWS\system32\zvaaf6e99z.exe Paul Nirvak HOME-NEXDJ8RT1T Normal 3 08/09/2004 18:03:34 08/09/2004 18:03:42 GUI%GUICONFIG#SRULE@ADVRULECONFIG#Normal_101

    I did a backtrace on the server t34rulit.com and it comes up with these 2 companies.

    nLayer Communications, Inc. NLYR-ARIN-BLK2 (NET-69-31-0-0-1)
    69.31.0.0 - 69.31.143.255
    Pilosoft, Inc. NLYR-69-31-80-0-1 (NET-69-31-80-0-1)
    69.31.80.0 - 69.31.87.255

    So can someone PLEASE EXPLAIN HOW I GET RID OF THIS ANNOYING PEICE OF S#@^ . thank you

    The nod32 antivirus detector AMon continually popps up with random exe files being infected and they all wanna connect to the internet. It causes serious lag on online gaming !!! the virus has somehow made over 90 exe's files but they dont exist i have tried searching for them and yes i have changed hidden file options plus the system files shown.
     
  2. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    well what is your operation system? i assume it is win xp.
    check your task manager( press ctrl+alt+del, processes tab) if there are processes like
    C:\WINDOWS\System32\ux3wiv1yln.exe
    you know, randomly named exes. if you find any, highlight that process, then click on end process.. reboot into safe mode(tap f8 at boot) and do a full system scan with nod32, allowing it to clean or delete infections found.
    if this doesn't work will have to do a little more..
     
  3. Leke

    Leke Registered Member

    Joined:
    Aug 9, 2004
    Posts:
    4
    yes my operating system is Windows XP pro

    There is no exe files in the task manager. They only appear every so often with a different name each time. Example 2tppexgdf8.exe then 7tdief1ucwj.exe . Its adsif something is creating these files to connect to that server. Is it possible its another virus that no ones aware of yet ?

    My firewall is blocking the created exe's from connecting its blocked its out-going traffic. Then the exe files disapear and a new one creates itself to try again and connect to the same server wich in my case is

    t34rulit.com [69.31.85.148]

    Yes i did the f8 into safe mode and ran my NOD32 virus scan. It detected nothing.

    Looks like i will be doing a little more ?? wat else is there.
     
  4. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    looks like i'll need your hijackthis log to work with.

    Please do this.
    Download 'Hijack This!'. http://www.spywareinfoforum.com/~merijn/files/hijackthis.zip
    Unzip to a convenient permanent folder, double click HijackThis.exe, and hit "Scan".

    When the scan is finished, the "Scan" button will change into a "Save Log" button.
    Press that, save the log,Open with notepad, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.Someone here will be happy to analyze the results for you
     
  5. Leke

    Leke Registered Member

    Joined:
    Aug 9, 2004
    Posts:
    4
    Logfile of HijackThis v1.98.2
    Scan saved at 1:08:15 AM, on 8/10/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\hijackthis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\0dzv6n2di0y9.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab28578.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab28578.cab
    O20 - AppInit_DLLs: 6ti53r1mcgi.tlb
     
  6. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\0dzv6n2di0y9.dll (file missing) is this cwsearch variant
    https://www.wilderssecurity.com/showpost.php?p=229285&postcount=28

    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O20 - AppInit_DLLs: 6ti53r1mcgi.tlb

    fix those above, delete associated files.
    pay special attention to what Pieter wrote in that link

    try to scan with trend micro online scanner

    also see how did i get infected in the first place

    if you encounter any further trobles with this try posting you hjt log at computer cops for instance
     
  7. Leke

    Leke Registered Member

    Joined:
    Aug 9, 2004
    Posts:
    4
    ok cool as man thanx heaps for everyones help. that Hijackthis program i think made it go away completly i think it was a virus but was gone but the registry was still tryin to conect to it and making it screw around all time.

    the exe's arnt creating themselfs anymore its fine and nod 32 AMon virus detector doesent keep popping up with virus detection

    plus the firewall is'nt seeing the exe's trying to connect anymore.

    i did a new virus scan awith latest signatures just about 20 mins ago and it did'nt pik anything up so i think i'm all good now.

    again thanx all . you guys were the quickedst to respond and get results outa 3 support forums congrats.

    cya's have a good one.
     
    Last edited: Aug 10, 2004
  8. illukka

    illukka Spyware Fighter

    Joined:
    Jun 23, 2003
    Posts:
    633
    Location:
    S.A.V.O
    that is one of the reason why wilders stopped doing unrequested hijack logs.. the flood of logs at various forums, and the same logs being posted at all hijack help forums by the same people-> same log being fixed at every forum, when those hjt experts would've been better spending their time on logs which were not answered anywhere.. thats a terrible waste of someones time
     
  9. michele

    michele Guest

    Hi,I have the same problem that had "Leke".My computer try connect to the server t34rulit.com.Can you help me?
    This is my log made with "HijackThis".

    Logfile of HijackThis v1.98.2
    Scan saved at 16.43.21, on 21/08/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\mysql\bin\mysqld-max-nt.exe
    C:\Programmi\Kerio\Personal Firewall\persfw.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
    C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\michele\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.libero.it/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\hvka543xy5rcmu.dll (file missing)
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Programmi\File comuni\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [ATIPTA] C:\Programmi\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmi\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [xvwiz32] C:\WINDOWS\system32\xvwizard32.hta
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Programmi\Norton Internet Security\UrlLstCk.exe
    O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
    O4 - Startup: Registrazione elettronica Corel® - Corel® Custom Photo.lnk = C:\Programmi\Corel\Custom Photo\Register\Remind32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Porta Symantec Fax Starter Edition.lnk = C:\Programmi\Microsoft Office\Office\1040\OLFSNT40.EXE
    O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programmi\File comuni\Adobe\Calibration\Adobe Gamma Loader.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\MSMSGS.EXE
    O18 - Filter: text/plain - (no CLSID) - (no file)
    O20 - AppInit_DLLs: yy15e7u8764j7.tlb
     
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
  11. Mattykrab

    Mattykrab Guest

    Hi, I've had this AMAZING spyware for the past week and nothing i've tried can remove it. I'm at a total loss for how it's creating these random EXEs and running them exactly...i've downloaded a few programs for listing hidden processes in hopes of finding the culprit parent file, but no luck.

    Of course I have all the same problems as Leke, but my "hijackthis" log is clean. This forum is the ONLY place i've found that mentions this problem, so I really hope someone has an idea. Otherwise, I suppose i can just block port 3334 (where it's trying to connect from) and just let it do it's thing in the background. It's the MOST annoying spyware i've ever encountered. Thanks in advance, i'd greatly appreciate any help at all.

    Also Michelle, I know lines O2 and O20 from the log should be deleted...and you have some weird directory names ("programmi" and "file comuni"?)
     
  12. michele

    michele Guest

    I'm italian and in my operating system these folders to default called so.
     
Loading...
Thread Status:
Not open for further replies.