PC Infected Full of TROJANS......Can’t Delete & Keep Coming Back!!

Joined
Aug 25, 2008
Messages
34
Reaction score
0
Hi,

I’m going to have to give fair bit of info so that you can get as clearer picture as possible, so please bear with me.

I’ve got Windows XP with Kaspersky Internet Security Suite 2010.

I was on a couple of Football streaming sites yesterday and soon after my PC and Kaspersky was all over the place.

I get a couple of Kaspersky Alarm messages that say:

1)

Object:
C:\WINDOWS\system32\msbyylfy.dll

Trojan program:

Trojan-GameThief.Win32.OnLineGames.wjk


& 2)

Object:
C:Windows\system\User.dll

Trojan Program:

Trojan.Win32.patched.gq

I keep on getting prompts from Kaspersky about Trojans in the system, the PC has really slowed down, Internet browsing (which may not be recommended) is very slow, programs like Microsoft Word freeze.

Kaspersky isn’t scanning properly either, when I try to it just stops. Its automatic Threat Detection feauture that
is suppose to Delete & Disinfect Viruses and Threats isn't working, and whatever it does do,
the Trojans keep on coming back even though Kaspersky says that after Restarting PC Threats
will be Removed!

Here is Kaspersky's Threat Detection Log:


Status: Detected (events: 1)
31/03/2010 01:15:59 Detected Trojan program Trojan-Downloader.Win32.Delf.zyx http://download.xwche.com/setup.exe?t=0.470785//2//ASPack
Status: Detected (events: 2)
31/03/2010 00:15:02 Detected malicious URL http://pozeml.com/oc/box.txt data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJKOb1kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7 data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJKOb1kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7
31/03/2010 01:16:03 Detected malicious URL http://img.ub8.net/banner.exe?t=0.9174008 data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJKOb1kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7 data:image/gif;base64,R0lGODlhEAAQAKU0ALILALgMAHoJAMyNiWsHAIUmHYQgGXAIALkqIHYJAIwrIcINAOrY1mcHAJoKANCaltGkoOZCM97Dwv78/IYIAM0OALtfVr9nX+p4bdQ5LPJKOb1kXKE7NNBfV/JLOpdjXag+NMyOidysqOZzaKpAN8qGgr5qZZZiXOl6bs1dVb1pYuRxZ86Tj7hlX9GNidQ4K7llXv75+Z01LoQLAv///////////////////////////////////////////////yH5BAEAAD8ALAAAAAAQABAAAAZ8wJ9wSCwahbPZ0TgDkZTLoSwSkUWRJ4PhA13KCrFYwbqcWRRhhaVblKEEYQGGXJxtPPCYQHNhC2UrFQ4JCQ4VI3RIMBkLBwwMBwsvKmwyKQEBBBISBJgddDMtCAAAFA0NFKQIJlAyLiUDAw8QEA8DISwiHD9Jvb6/SVdGQQA7
Status: Detected (events: 3)
31/03/2010 05:09:52 Detected Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\user32.DLL
31/03/2010 00:16:02 Detected Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp//PE_Patch.UPX
31/03/2010 01:29:43 Detected Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp//PE_Patch.UPX
Status: Deleted (events: 12)
31/03/2010 00:15:46 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp
31/03/2010 00:15:46 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT17.tmp//PE_Patch.UPX//UPX
31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp
31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp//PE_Patch.UPX
31/03/2010 00:33:13 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT270.tmp//PE_Patch.UPX//UPX
31/03/2010 01:17:37 Deleted Trojan program Trojan-Dropper.Win32.Agent.buvq C:\WINDOWS\system32\660436.exe
31/03/2010 01:29:25 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp
31/03/2010 01:29:25 Deleted Trojan program Trojan-Downloader.Win32.Genome.aqen C:\WINDOWS\Temp\VRT75.tmp//PE_Patch.UPX//UPX
31/03/2010 04:12:57 Deleted Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\user32.DLL
31/03/2010 04:19:00 Deleted Trojan program Trojan-GameThief.Win32.OnLineGames.wjik C:\WINDOWS\system32\msbyylfy.dll
31/03/2010 04:44:21 Deleted Trojan program Trojan-Clicker.Win32.Refpron.jy C:\WINDOWS\system32\3298914.exe
31/03/2010 04:44:21 Deleted Trojan program Trojan-Clicker.Win32.Refpron.jy C:\WINDOWS\system32\3298914.exe//#

Status: Will be disinfected when the computer is restarted (events: 1)
31/03/2010 05:09:52 Will be disinfected when the computer is restarted Trojan program Trojan.Win32.Patched.gq C:\WINDOWS\system32\USER32.dll


For Trojan.Win32.Patched.gq Kaspersky doesn't even attempt to do anything.

I'm pretty clueless with all of these things so I thought may be Kaspersky was playing up
or something and making false detections, hence I was thinking about uninstalling it and
I created a thread.......stupidly!

I've also got Malwarebytes Anti-Malware on my PC so I did a quickscan with it several times
because Kaspersky didn't seem to be able to remove anything. Anyway, the last scan I ran
with Malwarebytes resulted in it detecting 33 infected objects, probably also due to the
fact that my internet connection was still On!


Here is the log:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3935

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

31/03/2010 04:09:35
mbam-log-2010-03-31 (04-09-35).txt

Scan type: Quick scan
Objects scanned: 107392
Time elapsed: 46 minute(s), 54 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 7
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> No action taken.

Memory Modules Infected:
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\NOHIDORSYS (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\updatenew (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Spyware.Zbot) -> Data: system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
C:\WINDOWS\system32\w.exe (Backdoor.Bot) -> No action taken.
C:\WINDOWS\Fonts\services.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\1018167.exe (Trojan.Agent.Gen) -> No action taken.
C:\WINDOWS\system32\d.bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\ms.bin (Backdoor.Bot) -> No action taken.
C:\WINDOWS\system32\MSWINSCK.OCX (Worm.Nyxem) -> No action taken.
C:\WINDOWS\system32\8308054.exe (Trojan.Agent.Gen) -> No action taken.
C:\WINDOWS\Temp\VRT18.tmp (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Spyware.Zbot) -> No action taken.


Even after Malwarebytes found infected objects and required the PC to be Restarted for
the Infected objects to be deleted, when I did so I kept on getting the same messages from
Kaspersky and it was back to square one with the Trojans still there!

Out of panick and ignorance, I installed SuperAntiSpyware on the PC to see if I got any joy,
obviously not, but it detected 11 Infected objects when I ran a quickscan, here is the log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/31/2010 at 04:46 AM

Application Version : 4.35.1000

Core Rules Database Version : 4744
Trace Rules Database Version: 1978

Scan type : Quick Scan
Total Scan Time : 00:14:45

Memory items scanned : 352
Memory threats detected : 1
Registry items scanned : 391
Registry threats detected : 8
File items scanned : 6153
File threats detected : 2

Trojan.Agent/Gen-Virut[WinLogo]
C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE
C:\WINDOWS\SYSTEM32\GROUPPOLICY\USER\SCRIPTS\LOGON\WINLOGO.EXE
C:\WINDOWS\Prefetch\WINLOGO.EXE-184FCAAF.pf

Trojan.DNSChanger-Codec
HKLM\Software\1
HKLM\Software\1#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\1#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\1#31C2E1E4D78E6A11B88DFA803456A1FFA5
HKLM\Software\9
HKLM\Software\9#31AC70412E939D72A9234CDEBB1AF5867B
HKLM\Software\9#31897356954C2CD3D41B221E3F24F99BBA
HKLM\Software\9#31C2E1E4D78E6A11B88DFA803456A1FFA5



I don't know how these Trojans got in but they seem to have some sort of "backup" and can't be
Deleted or just keep coming back.

Kaspersky seems pretty obsolete, whereas a program like Malwarebytes Anti-Malware seems
to detect quite a lot of the Infected objects but they still remain, and when Malwarebytes wrongly gives
the all CLEAR, Kaspersky is still giving the same prompts.........I'm sorry if I'm not making
much sense but none of this is making sense to me!

Sorry for going on and if I haven't managed to be cohesive.....but I'm sure there are
people out there who have come across this......please kindly give me Clear, Step by Step
instructions on how to rid my PC of these Trojans.

Probably a bit late, but I don't know if its best not to connect to the internet in the meantime?


I'm really stressed out about this......



THANK YOU!!

Kind regards,

Jay
 
Back
Top