Solve : Virus Drowor D. Trojan plus other Infestation?

1.	Solve : Virus Drowor D. Trojan plus other Infestation?
Answer» Infestation ! Identified by XoftspySE Drowor D.Trojan c:/windows/system/internat.exe EliteKeylogger c:/windows/system/mciole.dll Virus.Win32.Delf.ak c:/windows/wupdmgr.exe wintective c:/windows?setup1.exe Smitfraud c:/windows/rundll32.exe Used XoftspySE removal but Drowor D.Trojan returns again and again (all others gone) Attempted to stop restore function in case image is being replaced from restore but difficulty accessing system functions via control panel as error of "MISSING rundll32.exe"prevents system functions running from control panel. Managed to use system restore (using safe mode) and rolled back. No improvement. Drowor D Trojan persists. AVG 7.5 doesnt identify, neither does Spybot S&D, AdAware or SuperAntiSpyware. Is Xoftspy exceptionally good in identifying when others do not or is Xoftspy 'questionable'. Reluctant to delete Xoftspy (at present) because it holds the quarantined images which I may need. Removal into quarantine (by Xoftspy) seems to have removed the rundll32.exe Should I restore the removed problem items from quarantine -all or just Smitfraud which I suspect affected the rundll32.exe? Have downloaded all latest from SpybotS&D, AdAware,AVG7.5 & SuperAntiSpyware so not running old definitions. What will not update is Xoftspy - stuck on data base 264 31.10.07 where as update 266 is available but will not load. Current situation is:- Drowor D Trojan persists and have 'lost' some system functions accessibility because of loss of rundll32.exe How can I remove Drowor permanently and how do I restore missing rundll32.exe ? Have tried my best (as a keen intermediate) but now need some extra help / ideas. System Win Me v4.90 (with all patches from MS until closedown) 40Gb drive C (21Gb free) 40Gb drive D (21 Gb free) 640Mb memory AVG 7.5 ; AdAware ; SpybotS&D ; SuperAntiSpyware all with latest updates Xoftspy SE (DB 264 31.10.07 database). Zone Alarm. Help please Aussie I don't fully trust Xoftspy and its findings. Download HijackThis. Double-click on the installer you just downloaded. Click on the "Install" button to install. It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis Please do not change the default install location. Upon install, HijackThis should open for you. Next click on the "Do a system scan and save a log file" button. HijackThis will scan and then a log will open in notepad. In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop. Please save the log as a text (.txt) file or .log In your post, add the log as an Attachment . * Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required. How to attach logs in a post Save the log to somewhere you can easily find it. (usually the desktop) To do this, from within the notepad go to the top of the page and select "File" > "Save As..." enter the file name and click "Save" Be sure the desktop is the location selected to save to. Please save all files as Text Documents (.txt) Posting the log 1. Below the text box click "Additional Options..." * If replying in a thread, before putting text into the reply box select "Preview" 2. Scroll down and select "Additional Options..." 3. Click "Browse" 4. Locate the file you want to attach and double click it to enter it into the window. 5. If you have more than one log click "(more attachments)" and a NEW window will open for adding another log. * You will need to enter a message in the text box as well.Thanks Evil, you are 'first out of bed' on this one - much appreciated; also the step by step help is great. I am on long workshift all this weekend/monday so be patient for reply I will be back to you. Cheers Aussie.No problem, hope work goes well.....Managed to get this done before shift starts. Welcome feedback. [saving disk space - old attachment deleted by admin]The log doesn't show any malware. Open SpyBot Look at the top and select "Mode" > select "Advanced Mode" Then on the left select: Tools > IE tweaks section Let me know if these are checked. "Lock IE start page ..." "Lock IE control panel ..." Neither are checked. Should I do so? Quote from: Aussie on November 22, 2007, 06:34:58 PM Neither are checked. Should I do so? No, we will fix it. Open HijackThis and select "Do a system scan only" Place a check mark next to: O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Close all windows and click "Fix checked" What system functions have you lost? Have done. No identifiable loss of functions (but not run every program - yet!) Cant access control panel because of missing rundll32.exe but that existed prior to your instruction. For interest, I have just run Norton Win Doctor which identified 50 'errors'. I have not at this stage requested repair fix for these in case confuses your solution. One is missing shortcut link on start menu windows update "wupdmgr.exe" (affected by Virus Win32.Delf.ak ? ) One is invalid Subkey entry - "invalid identifier" Remainder all refer to missing "rundll32.exe" (affected by virus Smitfraud ?) Question: if I did ask Win Doctor to 'fix', would it only repair the missing item content or will it drag the entire virus back with it?Since you are on winME then I think letting Win Doctor try to fix this is best for now. Most of the normal tools will not work with 98 and ME. Also, it seems every time Xysoft is involved it reports more issues then are actually there. False positives, "things" missing etc. I would uninstall it and go with SUPERAntispyware Free Edition instead. Quote from: evilfantasy on November 22, 2007, 09:39:13 PM Also, it seems every time Xysoft is involved it reports more issues then are actually there. False positives, "things" missing etc. I would uninstall it and go with SUPERAntispyware Free Edition instead. Agreed. SAS is a much more reliable and TRUSTWORTHY program.Hi Evil & CB, Used Norton WinDoctor accepting recommended fixes. Re-run Xoftspy and yet again identifies Drowor D. Trojan. (all others originally identified are gone). Xoftspy says deleted but re-appears very next scan! Being reinstalled from Restore mirror image? Re scanned with AdAwareSE nothing found. Rescanned with SpybotS&D nothing found. Rescanned with AGV antivirus nothing found. Rescanned with SuperAnti SpyWare nothing found. Rescanned with Norton Win Doctor - no errors Definitely had something affect pc because cannot access control panel due to 'missing' rundll32.exe therefore I cant access and stop restore function reboot and wipe clear. How do I reinstate the missing rundll32.exe ? I have original Win Me disk, can I extract and reload just this missing dll ? I have not yet deleted XoftspySE just incase you recommend pulling lost dll back from quarantine (but bring virus back with it!? What is the next step guys?With Xysoft being the only program out of those to report anything I would have to say they are false findings. We will wait on CBMatt to (possibly) confirm this as I am not 100% positive if Xysoft does this or not, but some antivirus/antispyware will hide certain features in an attempt to make it harder to uninstall them. They say it is to protect the computer but I believe otherwise. Like hiding the add/remove programs button, control panel and so on. Quote How do I reinstate the missing rundll32.exe You can replace the rundll32.exe from Merjin.org I'm not sure you can COPY it from the the WinME disk like you can with XP. Quote from: evilfantasy on November 26, 2007, 12:56:16 AM We will wait on CBMatt to (possibly) confirm this as I am not 100% positive if Xysoft does this or not, but some antivirus/antispyware will hide certain features in an attempt to make it harder to uninstall them. They say it is to protect the computer but I believe otherwise. Like hiding the add/remove programs button, control panel and so on. To be honest, I'm not 100% sure either. Aussie, Try running another virus scan, but this time, do it in Safe Mode. Does the file still come back? Because Xoftspy found Smitfraud, go ahead and try out the instructions on this page... http://www.bleepingcomputer.com/files/smitfraudfix.php Also, what is the exact message you are getting about rundll32? Typically, that file is kept in C:\WINDOWS\system32 (perhaps ME is different in this regard) and the one you're talking about is in C:\WINDOWS, so it sounds to me like your Control Panel is being pointed to the wrong location. As soon as you can, try my above suggestions and post back with your results.Hi CB, (& Evil) Ran new Xoftspy scan twice in safe mode (reboot between) and second time it cleared and not re-appeared Also ran all others AVG, Spybot S&D, AdAware, Super AntiSpyware & Win Doctor - all clear. Tried your suggestion re smitfraudfix but found wouldnt run - went back to download page and says for O/s WinXP / 2000 so appears not to be functional for Win Me. Leaves me with Icon & folder on desktop (no great problem) but cant go into Ad/remove programs because of loss of access to Control panel functions due to missing rundll32.exe Exact wording denying control panel access is : "Windows cannot find C:/WINDOWS/rundll32.exe. You may have TYPED the name incorrectly in the Run dialog. or another open program cannot find a systemfile. To search for a file, click the Start button and then click Search" (please note as an aside; the forward slash in above string should be a backslash. - might sound daft but I cant find the backslash key on the laptop I am using (not the affected machine) as it is set up for communication with the UK using £ instead of hash with digit 3, this in turn has changed backslash key to the hash with no trace anywhere now of backslash function. This doesnt matter other than your reading of the string above). Do you need a new HJT scan report or not? Looks as if system clear now; simply need to reinstall the rundll which I think goes to windows/options/cabs in Win Me. Await your observations re next step. Nearly there I think Aussie ps: public opinion 'virus' got the government here - all wiped out - new Labor team moving in. As a self exiled Brit I have no comment to make.

Answer»

Infestation ! Identified by XoftspySE
Drowor D.Trojan c:/windows/system/internat.exe
EliteKeylogger c:/windows/system/mciole.dll
Virus.Win32.Delf.ak c:/windows/wupdmgr.exe
wintective c:/windows?setup1.exe
Smitfraud c:/windows/rundll32.exe

Used XoftspySE removal but Drowor D.Trojan returns again and again (all others gone)
Attempted to stop restore function in case image is being replaced from restore but difficulty accessing system functions via control panel as error of "MISSING rundll32.exe"prevents system functions running from control panel.
Managed to use system restore (using safe mode) and rolled back. No improvement. Drowor D Trojan persists.
AVG 7.5 doesnt identify, neither does Spybot S&D, AdAware or SuperAntiSpyware. Is Xoftspy exceptionally good in identifying when others do not or is Xoftspy 'questionable'. Reluctant to delete Xoftspy (at present) because it holds the quarantined images which I may need.

Removal into quarantine (by Xoftspy) seems to have removed the rundll32.exe
Should I restore the removed problem items from quarantine -all or just Smitfraud which I suspect affected the rundll32.exe?
Have downloaded all latest from SpybotS&D, AdAware,AVG7.5 & SuperAntiSpyware so not running old definitions. What will not update is Xoftspy - stuck on data base 264 31.10.07 where as update 266 is available but will not load.

Current situation is:- Drowor D Trojan persists and have 'lost' some system functions accessibility because of loss of rundll32.exe How can I remove Drowor permanently and how do I restore missing rundll32.exe ?
Have tried my best (as a keen intermediate) but now need some extra help / ideas.

System
Win Me v4.90 (with all patches from MS until closedown)
40Gb drive C (21Gb free)
40Gb drive D (21 Gb free)
640Mb memory
AVG 7.5 ; AdAware ; SpybotS&D ; SuperAntiSpyware all with latest updates
Xoftspy SE (DB 264 31.10.07 database).
Zone Alarm.

Help please
Aussie

I don't fully trust Xoftspy and its findings.

Download HijackThis.
Double-click on the installer you just downloaded.
Click on the "Install" button to install.
It will by default install to the directory - C:\Program Files\Trend Micro\HijackThis
Please do not change the default install location.
Upon install, HijackThis should open for you.

Next click on the "Do a system scan and save a log file" button.
HijackThis will scan and then a log will open in notepad.
In the top left of the notepad window click "File" > "Save As" name it hijackthis and then save it to the Desktop.
Please save the log as a text (.txt) file or .log
In your post, add the log as an Attachment
.
* Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

How to attach logs in a post

Save the log to somewhere you can easily find it. (usually the desktop)

To do this, from within the notepad go to the top of the page and select "File" > "Save As..." enter the file name and click "Save" Be sure the desktop is the location selected to save to.
Please save all files as Text Documents (.txt)

Posting the log

1. Below the text box click "Additional Options..."
* If replying in a thread, before putting text into the reply box select "Preview"
2. Scroll down and select "Additional Options..."
3. Click "Browse"
4. Locate the file you want to attach and double click it to enter it into the window.
5. If you have more than one log click "(more attachments)" and a NEW window will open for adding another log.
* You will need to enter a message in the text box as well.Thanks Evil, you are 'first out of bed' on this one - much appreciated; also the step by step help is great.
I am on long workshift all this weekend/monday so be patient for reply I will be back to you.
Cheers Aussie.No problem, hope work goes well.....Managed to get this done before shift starts. Welcome feedback.

[saving disk space - old attachment deleted by admin]The log doesn't show any malware.

Open SpyBot
Look at the top and select "Mode" > select "Advanced Mode"
Then on the left select:
Tools > IE tweaks section
Let me know if these are checked.
"Lock IE start page ..."
"Lock IE control panel ..."

Neither are checked. Should I do so? Quote from: Aussie on November 22, 2007, 06:34:58 PM

Neither are checked. Should I do so?

No, we will fix it.

Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all windows and click "Fix checked"

What system functions have you lost?

Have done. No identifiable loss of functions (but not run every program - yet!)
Cant access control panel because of missing rundll32.exe but that existed prior to your instruction.

For interest, I have just run Norton Win Doctor which identified 50 'errors'. I have not at this stage requested repair fix for these in case confuses your solution.
One is missing shortcut link on start menu windows update "wupdmgr.exe" (affected by Virus Win32.Delf.ak ? )
One is invalid Subkey entry - "invalid identifier"
Remainder all refer to missing "rundll32.exe" (affected by virus Smitfraud ?)

Question: if I did ask Win Doctor to 'fix', would it only repair the missing item content or will it drag the entire virus back with it?Since you are on winME then I think letting Win Doctor try to fix this is best for now. Most of the normal tools will not work with 98 and ME.

Also, it seems every time Xysoft is involved it reports more issues then are actually there. False positives, "things" missing etc. I would uninstall it and go with SUPERAntispyware Free Edition
instead. Quote from: evilfantasy on November 22, 2007, 09:39:13 PM

Also, it seems every time Xysoft is involved it reports more issues then are actually there. False positives, "things" missing etc. I would uninstall it and go with SUPERAntispyware Free Edition
instead.

Agreed. SAS is a much more reliable and TRUSTWORTHY program.Hi Evil & CB,
Used Norton WinDoctor accepting recommended fixes.
Re-run Xoftspy and yet again identifies Drowor D. Trojan. (all others originally identified are gone).
Xoftspy says deleted but re-appears very next scan! Being reinstalled from Restore mirror image?
Re scanned with AdAwareSE nothing found.
Rescanned with SpybotS&D nothing found.
Rescanned with AGV antivirus nothing found.
Rescanned with SuperAnti SpyWare nothing found.
Rescanned with Norton Win Doctor - no errors
Definitely had something affect pc because cannot access control panel due to 'missing' rundll32.exe therefore I cant access and stop restore function reboot and wipe clear.
How do I reinstate the missing rundll32.exe ? I have original Win Me disk, can I extract and reload just this missing dll ?
I have not yet deleted XoftspySE just incase you recommend pulling lost dll back from quarantine (but bring virus back with it!?
What is the next step guys?With Xysoft being the only program out of those to report anything I would have to say they are false findings.

We will wait on CBMatt to (possibly) confirm this as I am not 100% positive if Xysoft does this or not, but some antivirus/antispyware will hide certain features in an attempt to make it harder to uninstall them. They say it is to protect the computer but I believe otherwise. Like hiding the add/remove programs button, control panel and so on.

Quote

How do I reinstate the missing rundll32.exe

You can replace the rundll32.exe from Merjin.org

I'm not sure you can COPY it from the the WinME disk like you can with XP. Quote from: evilfantasy on November 26, 2007, 12:56:16 AM

We will wait on CBMatt to (possibly) confirm this as I am not 100% positive if Xysoft does this or not, but some antivirus/antispyware will hide certain features in an attempt to make it harder to uninstall them. They say it is to protect the computer but I believe otherwise. Like hiding the add/remove programs button, control panel and so on.

To be honest, I'm not 100% sure either.

Aussie,
Try running another virus scan, but this time, do it in Safe Mode. Does the file still come back? Because Xoftspy found Smitfraud, go ahead and try out the instructions on this page...
http://www.bleepingcomputer.com/files/smitfraudfix.php

Also, what is the exact message you are getting about rundll32? Typically, that file is kept in C:\WINDOWS\system32 (perhaps ME is different in this regard) and the one you're talking about is in C:\WINDOWS, so it sounds to me like your Control Panel is being pointed to the wrong location. As soon as you can, try my above suggestions and post back with your results.Hi CB, (& Evil) Ran new Xoftspy scan twice in safe mode (reboot between) and second time it cleared and not re-appeared Also ran all others AVG, Spybot S&D, AdAware, Super AntiSpyware & Win Doctor - all clear.
Tried your suggestion re smitfraudfix but found wouldnt run - went back to download page and says for O/s WinXP / 2000 so appears not to be functional for Win Me. Leaves me with Icon & folder on desktop (no great problem) but cant go into Ad/remove programs because of loss of access to Control panel functions due to missing rundll32.exe
Exact wording denying control panel access is :
"Windows cannot find C:/WINDOWS/rundll32.exe. You may have TYPED the name incorrectly in the Run dialog. or another open program cannot find a systemfile. To search for a file, click the Start button and then click Search"
(please note as an aside; the forward slash in above string should be a backslash. - might sound daft but I cant find the backslash key on the laptop I am using (not the affected machine) as it is set up for communication with the UK using £ instead of hash with digit 3, this in turn has changed backslash key to the hash with no trace anywhere now of backslash function. This doesnt matter other than your reading of the string above).
Do you need a new HJT scan report or not? Looks as if system clear now; simply need to reinstall the rundll which I think goes to windows/options/cabs in Win Me.
Await your observations re next step.
Nearly there I think

Aussie

ps: public opinion 'virus' got the government here - all wiped out - new Labor team moving in. As a self exiled Brit I have no comment to make.

Solve : Virus Drowor D. Trojan plus other Infestation?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment