Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

pesky Win32.small.azl Trojan

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: pesky Win32.small.azl Trojan

Unread postby markamus » December 11th, 2007, 12:45 pm

Hi firebrand,

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINNT\system32\user32.dll.vir

Folder::
C:\Program Files\PLUS!
C:\WINNT\Ympkb25pcw


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"431010bd"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayywvu]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09985909-06B9-4005-A4CF-1C9C6E1690AA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0CFCC577-EA60-4A9C-8980-BB486556BA61}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49D35D4F-4738-41FE-A616-77D4947520AA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8652D896-3C1F-4182-9400-B172A853AE58}]




Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
---------------------------------------------------------------------------------------

Please download a free version of CCleaner from here.


To install:
  • Select a language.
  • Click Next.
  • Click I Agree.
  • Select your Destination Folder and click Next. The default is set to C:\Program Files\CCleaner. This is OK to use, unless you would prefer it installed to another permanent folder.
  • Choose your Install Options.
  • Click Install.
  • Click Finish when prompted.


To run:
  • Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Then select the items you wish to clean up. (See note below)
In the Windows Tab:
  • Clean all entries in the "Internet Explorer". If you prefer to keep your cookies, uncheck the Cookies entry. Deleting cookies will require re-entry of user names and passwords on next visit to sites that require users log in.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all (optionally, except cookies) in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
  • Then click the "Run Cleaner" button and it will scan and clean your system.
  • Click exit.
----------------------------------------------------------------------------------------------

Note: Please print out these instructions or save them to a new text file on your desktop. The next steps in this fix require booting to Safe Mode, where you will not be able to access this forum.

Reboot into Safe Mode . To do this, please follow these steps:
  • Click start.
  • Select Turn off computer.
  • Select Restart and click OK.
  • During restart, hold down the F8 key on your keyboard until the Windows Startup menu appears.
  • If your PC starts beeping then release the key for a few seconds before holding it down again.
  • Select Safe Mode from the Startup menu, and press the Enter button on your keyboard.
  • Windows should start in Safe Mode. If Windows doesn't restart in Safe Mode, then please repeat these steps.
----------------------------------------------------------------------------------------------

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot normally.
----------------------------------------------------------------------------------------------

In your next reply, please include the following:
  1. The new Combofix log
  2. The AVG Anti-Spyware log
  3. A fresh HijackThis log
  4. A description of how the PC is running.
If your reply is too long, you can split it into multiple posts.

Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama
Advertisement
Register to Remove

Re: pesky Win32.small.azl Trojan

Unread postby firebrand » December 12th, 2007, 5:56 pm

Here is HijackThis and Combofix below it:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:02 PM, on 12/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\Brmfrmps.exe
C:\WINNT\system32\BrmfRsmg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Quicken\bagent.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Hijack This\HiJackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3504 bytes

Now Combofix:


ComboFix 07-12-09.1 - bjdonis 12/13/2007 14:59:50.11 - FAT32x86
Running from: C:\Documents and Settings\bjdonis\Desktop\ComboFix(3).exe
.

((((((((((((((((((((((((( Files Created from 2007-11-13 to 2007-12-13 )))))))))))))))))))))))))))))))
.

2007-12-13 15:00 . 12/13/07 03:00p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_310.dat
2007-12-13 14:51 . 12/13/07 02:51p 830,816 ---h----- C:\WINNT\ShellIconCache
2007-12-13 11:19 . 12/13/07 11:19a <DIR> d-------- C:\Documents and Settings\bjdonis\Application Data\Grisoft
2007-12-13 11:18 . 05/30/07 06:10a 10,872 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-12-13 11:15 . 12/13/07 11:15a <DIR> d--h----- C:\WINNT\PIF
2007-12-13 11:15 . 12/13/07 03:04p 208 --a------ C:\WINNT\system.ini
2007-12-12 23:30 . 12/12/07 11:31p <DIR> d-------- C:\Program Files\CCleaner
2007-12-12 23:22 . 12/12/07 11:23p <DIR> d-------- C:\Program Files\PC Registry Cleaner
2007-12-07 11:50 . 12/07/07 11:50a <DIR> d-------- C:\FOUND.006
2007-12-07 11:05 . 12/07/07 11:05a <DIR> d-------- C:\FOUND.005
2007-12-06 13:33 . 12/06/07 01:33p <DIR> d-------- C:\FOUND.004
2007-12-06 13:20 . 12/06/07 01:20p <DIR> d-------- C:\FOUND.003
2007-12-05 15:55 . 12/05/07 03:55p <DIR> d-------- C:\WINNT\ERUNT
2007-12-05 15:41 . 12/05/07 03:41p <DIR> d-------- C:\FOUND.002
2007-12-04 13:08 . 12/04/07 01:08p <DIR> d-------- C:\FOUND.001
2007-12-04 12:56 . 12/04/07 12:56p <DIR> d-------- C:\FOUND.000
2007-11-19 22:44 . 11/19/07 10:44p <DIR> d-------- C:\WINNT\system32\BITS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 17:07 11,736 ----a-w C:\Documents and Settings\bjdonis\Application Data\GDIPFONTCACHEV1.DAT
2007-11-07 16:19 136 ---ha-w C:\aaw7boot.cmd
2007-11-06 17:32 --------- d-----w C:\Documents and Settings\bjdonis\Application Data\AVG7
2007-11-06 17:31 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2007-11-06 17:30 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-06 17:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-06 06:27 24,576 ----a-w C:\WINNT\system32\VundoFixSVC.exe
2007-10-31 02:58 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-08-14 17:44 271 ---h--w C:\Program Files\desktop.ini
2007-08-14 17:44 21,952 ---h--w C:\Program Files\folder.htt
2002-07-24 18:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
.

((((((((((((((((((((((((((((( snapshot@Sun 2007-12-09_15.45.58.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 16:57:12 163,328 ----a-w C:\WINNT\erdnt\subs\F3M\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p C:\WINNT\system32\mobsync.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [11/06/07 11:30a]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [11/06/07 11:30a]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p]

C:\Documents and Settings\bjdonis\Start Menu\Programs\Startup\
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2005-01-14 15:06:58]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Brother SmartUI PopUp.lnk - C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe [2007-08-15 11:16:05]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys
R1 Odptdi;Odptdi;\??\C:\WINNT\system32\drivers\odptdi.sys
R2 BrSerial;Brother Serial Driver;\??\C:\WINNT\system32\drivers\BrSerial.sys
R3 chips;chips;C:\WINNT\system32\DRIVERS\chipsm5.sys
R3 ess;ESS Audio Driver (WDM);C:\WINNT\system32\drivers\ess.sys
R3 N100;Compaq Ethernet or Fast Ethernet NIC NT Driver;C:\WINNT\system32\DRIVERS\n100nt5.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-12-13 00:30:04 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-13 15:04:42
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 12/13/2007 15:06:24
C:\ComboFix3.txt ... 12/09/07 03:46p
C:\ComboFix2.txt ... 12/12/07 11:19p
.
--- E O F ---
firebrand
Active Member
 
Posts: 11
Joined: November 30th, 2007, 2:48 am

Re: pesky Win32.small.azl Trojan

Unread postby firebrand » December 12th, 2007, 6:22 pm

Markamus,

Had a couple of problems (possibly) with the AVG portion. I will walk you through what I had problems with pertaining to the last instructions.

I didn't realize PC Cleaner was different than CCleaner at first, so I downloaded both, but haven't used PC Cleaner other than installing it. I had difficulty getting AVG Anti-Spy to download, I even left computer on all-night but it still hadn't from the link you sent. I went instead to download.com and got it there in a few moments. I downloaded it and installed it in normal setting, but didn't run it until being in Safe mode. I also had some troubles updating it, but it finally went. I believe I was finally able to get it to update in normal mode after trying in Safe mode with Connectivity to no success.

After the scan was completed in the Safe mode setting, I didn't really see a box that said Save Scan Report, so I don't think I clicked that on accident. I did see the Apply All Actions button, and it did find some tracking cookies which were deleted, in addition to what it found and quarantined, which I will type below this. However, there was not a report that was generated. The Save Report button was grayed out the entire time to my recollection when I ran the AVG Anti-Spy. I went back in again and ran it in regular mode, and that time it did save a report (and found nothing). I will post that below. I don't quite know why I didn't get a report for the first running (or maybe this is normal), but I can't find it searching on my computer. I can trace back up the tree when I look to see where it is saving these reports, but can't find that folder when I go there to see if there was an initial report off the first running.

So possibly I missed a step, I'm not sure exactly where though. Have had no problems surfing, seems to be moving a bit faster, but I will have to surf more later and see how it is doing, will report tomorrow on how it is moving. I want to try IE since Firefox is normally what I use to browse and IE always was more problematic with this infection in terms of speed.

From Infections tab of AVG: (Infected With column)

C:\qoobox\Quarantine\C\WINNT\system32\bthnngid.dll.vir (Not-a-Virus.Adware.SecToolBar)
C:\VundoFix Backups\nizkqfwi.dll.bad (Not-a-Virus.Adware.SecToolBar)
C:\quobox\Quarantine\C\WINNT\system32\ktcsuwj.dll.vir (Not-a-Virus.Adware.Agent)
C:\qoobox\Quarantine\C\WINNT\Ympkb25pcw\sAD4vZcDwT.vbs.vir (Trojan.small)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:52:01 PM 12/13/2007

+ Scan result:



Nothing found.


::Report end
firebrand
Active Member
 
Posts: 11
Joined: November 30th, 2007, 2:48 am

Re: pesky Win32.small.azl Trojan

Unread postby markamus » December 15th, 2007, 12:56 pm

Hi firebrand,

Using Windows Explorer
    (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following folders
    C:\qoobox
    C:\VundoFix Backups
----------------------------------------------------------------------------------------------
firebrand wrote:Have had no problems surfing, seems to be moving a bit faster, but I will have to surf more later and see how it is doing, will report tomorrow on how it is moving. I want to try IE since Firefox is normally what I use to browse and IE always was more problematic with this infection in terms of speed.

How is everything running now?

Thanks,

markamus
User avatar
markamus
Regular Member
 
Posts: 696
Joined: August 9th, 2006, 9:28 pm
Location: Alabama

Re: pesky Win32.small.azl Trojan

Unread postby NonSuch » December 25th, 2007, 6:16 am

As this issue appears to be resolved, this topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 25 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware