It finally happened--My computer downloaded a Trojan

Factual Questions
1

WinAntiSpyware 2007 was the name of the thing. I found a link on Wikipedia to a program designed specifically to remove it. After investigating further, I determined this anti-WinAntiSpyware program was legit, and I downloaded and ran it, and the trojan itself seems to have been removed.

But it left behind a bunch of stuff. I keep getting IExplorer popups, and it even places icons (shortcuts to webpages) on my desktop every now and then!

In my task manager I find the following processes which I do not recognize:

retadpu77
winpop
was7mon (which is associated with WinAntiSpyware so looks like that’s not been completely removed at all.)
hyrojtaA (which I can not find mention of online).

I looked up retadpu77 through google, and I see several pages wherein people are asking for advice on how to remove it. In each case, someone asks them to post long lists of registry key entries and so forth, then gives the person highly individualized advice as to how to remove the thing from their particular system.

My question is, is there any quite general procedure I can use to get rid of it? Or is it actually necessary, after all, for me to download something called “Hijack This” and have it spit out a long document, let a techie read it, then download something called “combofix,” (this is what I see on each of the websites wherein I’ve found advice so far), show it’s list to a tech-type person, then go through and delete specific entries, and so on and so on?

If so, then, um, does anyone here want to help me? :frowning:

-FrL-

2

Oops, there’s more:

mpdsregp
webbuying
arpa

These also show up in my task manager and are bad. Geez, maybe these have been there for a while and I just never noticed. I confess to some laxity over the past year or so when it comes to my system’s security.

Dammit.

-FrL-

3

Here’s a pretty good walkthrough of the steps you should take.

4

I just had a similar issue. I used Norton. I uses Spambot Search & Destroy. I used VundoFix. All found stuff and said they fixed it. But the next day the problem ruturned. But ComboFix seems to have solved my problem.

Brian

5

I got hit by this little bugger few weeks ago. It is an insidious bastard - pop ups all over the place, and constantly trying to download other programs. I went to http://www.pchell.com to find some advice, and went through their multi-step process which seemed to make sense and were easy enough for the most part. The hijack this thing really requires letting a techie look at if if you aren’t familiar with what are the good programs on your computer.

In the end my computer was over three years old, so after a few attempts I said screw it and went out and got a new one. Now, if you would like to hear my review of Vista, I’ll be glad to share.

6

I just spent 10 hours trying to remove a trojan from a friend’s computer. What a major clusterf*&k! I finally managed to remove the trojan, but it managed to corrupt EXPLORER.EXE - I could get to windows, but there was no desktop/start menu/etc. I could get to Task Manager and run applications, but it was basically borked.

A reinstall of SP2 and a repair install of XP didn’t fix EXPLORER. It needed a complete re-install.

People who write trojans are a special kind of jerk.

7

A slight piece of advice but never ever use anything Norton…ever

8

I ran combofix just now. It gave me a log file telling me what it had found, but I can’t tell whether it actually did anything.

I think the problem seems better, but I did just get a pop-up. There don’t seem to be as many though.

-FrL-

W/ apologies, FTR, here’s the log file:

“Jessica” - 2007-07-26 8:18:51 [GMT -7:00] - ComboFix 07-07-24 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\wvuutuu.dll

      • POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
        ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
        C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
        C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
        C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
        C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
        C:\Documents and Settings\All Users.\documents\setup.exe
        C:\Program Files\Common Files\winantispyware 2007
        C:\Program Files\Common Files\winantispyware 2007\err.log
        C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
        C:\Program Files\Messenger ecodol83122.dll
        C:\Program Files\outerinfo
        C:\Program Files\outerinfo\Terms.rtf
        C:\Program Files\poolsv
        C:\Program Files\poolsv\k11u72.exe
        C:\Program Files\poolsv\svhost.exe
        C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
        C:\Program Files\poolsv\wr-1-0000077.exe
        C:\Program Files\poolsv\YazzleBundle-1549.exe
        C:\Program Files\svhost
        C:\Program Files\svhost\wr-1-0000077.exe
        C: emp n3
        C:\WINDOWS\b122.exe
        C:\WINDOWS\dls0523pmw.exe
        C:\WINDOWS\poolsv.exe
        C:\WINDOWS\rau001978.exe
        C:\WINDOWS\retadpu77.exe
        C:\WINDOWS\setup.exe
        C:\WINDOWS\svhost.exe
        C:\WINDOWS\system32\b10FdUe
        C:\WINDOWS\system32\b10FdUe\b10FdUe1099.exe
        C:\WINDOWS\system32\drivers\core.cache.dsk
        C:\WINDOWS\system32\drivers\core.sys
        C:\WINDOWS\system32\drivers\fopn.sys
        C:\WINDOWS\system32\ecurit~1
        C:\WINDOWS\system32\ecurit~1\r?ndll32.exe
        C:\WINDOWS\system32\G1
        C:\WINDOWS\system32\G1\kmhp83122.exe
        C:\WINDOWS\system32\G11
        C:\WINDOWS\system32\G11\z553.exe
        C:\WINDOWS\system32\G3
        C:\WINDOWS\system32\G3\wr725.exe
        C:\WINDOWS\system32\G5
        C:\WINDOWS\system32\G5 ns2.exe
        C:\WINDOWS\system32\G7
        C:\WINDOWS\system32\G9
        C:\WINDOWS\system32\rqaql.dll
        C:\WINDOWS\system32\win
        C:\WINDOWS\system32\wtsicomsv.exe
        C:\WINDOWS\TISKY009.exe
        C:\WINDOWS\wr.txt
        ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
        -------\LEGACY_CORE
        -------\LEGACY_FOPN
        -------\LEGACY_NET_AGENT
        -------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
        -------\core
        -------\Net Agent
        ((((((((((((((((((((((((( Files Created from 2007-06-26 to 2007-07-26 )))))))))))))))))))))))))))))))
        2007-07-26 08:15 51,200 --a------ C:\WINDOWS
        ircmd.exe
        2007-07-26 01:05 <DIR> d-------- C:\Program Files\SSRemoval Tool
        2007-07-26 00:23 6,467 —hs---- C:\WINDOWS\system32\edeeg.bak1
        2007-07-26 00:22 228,960 --a------ C:\WINDOWS\system32\geede.dll
        2007-07-26 00:17 626,352 -r-hs---- C:\WINDOWS\hyrojtaA.exe
        2007-07-26 00:17 54,784 --a------ C:\WINDOWS\hyrojta.exe
        2007-07-26 00:17 171,520 --a------ C:\WINDOWS\system32\lkwicmj.dll
        2007-07-26 00:16 31,254 --a------ C:\WINDOWS\system32\fccyvvv.dll
        2007-07-26 00:16 <DIR> d-------- C:\Temp\brr
        2007-07-26 00:16 <DIR> d-------- C:\Temp\0c2
        2007-07-26 00:16 <DIR> d-------- C:\Temp
        2007-06-29 10:49 <DIR> d-------- C:\DOCUME~1\Jacob\APPLIC~1\Yahoo! Messenger
        (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-26 15:36:28 -------- d-----w C:\Program Files\Messenger
2007-07-26 15:10:31 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-07-16 22:29:31 -------- d-----w C:\Program Files\Yahoo!
2007-07-16 22:23:37 -------- d-----w C:\Program Files\ICQ
2007-07-16 22:20:33 -------- d-----w C:\Program Files\SlideShow
2007-06-01 18:10:10 -------- d-----w C:\Program Files\America Online 7.0
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-05-29 18:10:22 70,736 ----a-w C:\DOCUME~1\Jessica\APPLIC~1\GDIPFONTCACHEV1.DAT
2006-05-18 02:06:17 524,300 ----a-w C:\DOCUME~1\Jessica\APPLIC~1\position.bin
2006-05-16 03:31:16 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-04-24 00:07:40 585,728 ----a-w C:\DOCUME~1\Jessica\APPLIC~1\arasan.exe
2006-04-23 01:22:56 999,424 ----a-w C:\DOCUME~1\Jessica\APPLIC~1\arasanx.exe
2006-04-18 02:49:42 1,179,648 ----a-w C:\DOCUME~1\Jessica\APPLIC~1\book.bin
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-26 00:16 31254 --a------ C:\WINDOWS\system32\fccyvvv.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{b8f25cdd-bbc2-4a5d-8cc9-bc886aff5012}]
2007-07-26 00:17 171520 --a------ C:\WINDOWS\system32\lkwicmj.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{BF79CAEE-5A1C-4877-A482-2E249B08CB4C}]
2007-07-26 00:22 228960 --a------ C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2004-07-31 10:07]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2006-02-08 15:03]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2006-02-23 17:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe” [2006-11-09 16:07]
“nwiz”=“nwiz.exe” [2006-08-11 22:43 C:\WINDOWS\system32
wiz.exe]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe” [2007-03-09 11:09]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-13 09:24]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:56]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-25 01:27]
“updateMgr”=“C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe”

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“RunNarrator”=Narrator.exe

C:\Documents and Settings\Jessica\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50]
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-05-09 16:54:38]
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2005-05-16 15:38:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Clean Access Agent.lnk - C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe [2007-05-09 16:54:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{3964D8D6-86D0-493A-B460-A805B5401114}”= C:\WINDOWS\system32\fccyvvv.dll [2007-07-26 00:16 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\fccyvvv]
fccyvvv.dll 2007-07-26 00:16 31254 C:\WINDOWS\system32\fccyvvv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\geede]
C:\WINDOWS\system32\geede.dll 2007-07-26 00:22 228960 C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon
otify\MCPClient]
C:\Program Files\Common Files\Stardock\mcpstub.dll 2003-08-25 10:25 139264 C:\Program Files\Common Files\Stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
“C:\Program Files\Messenger\msmsgs.exe” /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\susp]
C:\WINDOWS\susp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TVTMD]
C:\WINDOWS\TVTMD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebSavingsfromEbates]
wjview /cp:p “C:\Program Files\WebSavingsfromEbates\System\Code” Main lp: “C:\Program Files\WebSavingsfromEbates”

R1 Kbdclass;Keyboard Class Driver;C:\WINDOWS\system32\DRIVERS\kbdclass.sys
R1 Mouclass;Mouse Class Driver;C:\WINDOWS\system32\DRIVERS\mouclass.sys
R1 SSHDRV85;SSHDRV85;??\C:\WINDOWS\system32\drivers\SSHDRV85.sys
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS
R2 IOPort;IOPort;??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS
R2 TBPanel;TBPanel;C:\WINDOWS\system32\drivers\TBPanel.sys
R3 Gpc;Generic Packet Classifier;C:\WINDOWS\system32\DRIVERS\msgpc.sys
R3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 Cardex;Cardex;??\C:\WINDOWS\system32\drivers\TBPANEL.SYS
S3 gUSBSTOi;gUSBSTOi;??\C:\DOCUME~1\Kris\LOCALS~1\Temp\gUSBSTOi.sys
S3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-26 08:45:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden registry entries …

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
“TracesProcessed”=dword:000001ee

scanning hidden files …

scan completed successfully
hidden files: 0

Completion time: 2007-07-26 8:51:26 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-07-26 08:51

--- E O F ---
9

FYI

Combofix seems indeed to have almost fixed it. The only problem left is a very occasional pop up (“brought to you by WebBuying”) while I am running internet explorer. I’ll find a way to fix this when I come back home from work tonight.

-Kris

10

Probably too late for this advice, but did you try reverting to a recent system restore point? That always worked for me anytime I screwed up my Windows machine.

Also, your computer downloaded a trojan? :dubious: :wink:

11

I wasn’t sure how that works. Wouldn’t it just have “restored” me to the point right after the malware had been installed? I didn’t know, and so decided to try other means.

:confused: I don’t get it.

-FrL-

12

Your computer isn’t going to spontaneously download something, so you downloaded it.

13

Incorrect. If you go to some websites and you have inadequate security software, they can push malicious scripts onto your machine.

14

Nope, computers dont do anything they are not told to do. He downloaded it, indreictly but still it was him

15

This has been fairly common in the last few weeks (I run a pc repair shop). Clean reloads are the easy way to go so far AFAIK.

Generally our approach is

superantispyware
AVG
rogueremover
avast
windows antispyware
trojan hunter

If those don’t get it, backup personal files and reload from scratch.

16

A website exploiting a bug in IE told the computer to download the trojan. Or perhaps it was an unsecured port and an external attacker used it to cause the computer to accept the trojan in both of those the home operator cannot have been said to have downloaded the trojan.

17

True, but how often do either of those things happen? In real life, I mean, not security mailing list stories. Compared to the number of trojans that are actually downloaded and installed carelessly by users.

I was just poking a bit of fun, though. I wasn’t sure which combination of smileys to use to make that clear. I guess my “dubious wink” didn’t work. I didn’t mean any offense.

A System Restore will restore your system at the point the restore was created. So, you’d want to restore to one that was created before your computer (;)) installed the trojan. Often, a restore point is created right before you install anything, so if you have a restore point from that day, it may very well have been the one you want.

At any rate, all’s well that ends well.
ETA: I like the Google ad. Is that because we keep saying “trojan”?

18

There are tons of articles online about how an unpatched windows XP computer will get something loaded onto it within 15 minutes of being connected to the internet so I would say it happens a lot.

19

I would suggest the best way to fix that is to STOP “running internet explorer”. Download FireFox and run it instead. You will almost never see popups.

20

I was wrong. IExplorer popups are showing up no matter what browser I’m using. (And I do already have FireFox btw.)

And FTR, the trojan was picked up while Netscape was running, not iexplorer.

-FrL-