Question

  • Creator
    Topic
  • #2224926

    Nebuler Trojan

    Locked

    by dwebber ·

    The owner of my company dropped this machine on my lap complaining a series of pop ups and random programs starting up. I got all the programs cleaned out and now can’t get rid of the Trojan that started it all, have removed two Trojans already, Symantec is saying its the Trojan.Nebuler Virus but i can’t get it removed. I ran HighJack on it and here is the log to save time. Any suggestions are greatly appreciated I’m running out of ideas.

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\TEMP\win12F3.tmp.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Palm\Hotsync.exe
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\WINDOWS\system32\userinit.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 – HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
    O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar5.dll
    O4 – HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 – HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 – HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
    O4 – HKLM\..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
    O4 – HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    O4 – HKLM\..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe” -startup
    O4 – HKLM\..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
    O4 – HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 – HKLM\..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
    O4 – HKLM\..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
    O4 – HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
    O4 – HKLM\..\Run: [Dell Photo AIO Printer 922] “C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe”
    O4 – HKLM\..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
    O4 – HKLM\..\Run: [zjgyrzdA] C:\WINDOWS\zjgyrzdA.exe
    O4 – HKLM\..\Run: [{C9-93-38-8D-ZN}] c:\windows\system32\mkdsregl.exe SKY009
    O4 – HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinlndt.exe SKY009
    O4 – HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
    O4 – HKLM\..\Run: [Salestart] “C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe”
    O4 – HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
    O4 – HKLM\..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
    O4 – HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win12F3.tmp.exe
    O4 – HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvjut.dll,startup
    O4 – HKLM\..\Run: [smgr] mgrs.exe
    O4 – HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 – HKLM\..\Run: [SystemOptimizer] rundll32.exe “C:\WINDOWS\system32\nfkqbjxx.dll”,forkonce
    O4 – HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 – HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 – HKCU\..\Run: [DellSupport] “C:\Program Files\DellSupport\DSAgnt.exe” /startup
    O4 – Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 – Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
    O4 – Global Startup: Digital Line Detect.lnk = ?
    O4 – Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
    O4 – Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O8 – Extra context menu item: &Google Search – res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 – Extra context menu item: &Translate English Word – res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 – Extra context menu item: Backward Links – res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 – Extra context menu item: Cached Snapshot of Page – res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 – Extra context menu item: E&xport to Microsoft Excel – res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 – Extra context menu item: Similar Pages – res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 – Extra context menu item: Translate Page into English – res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 – Extra button: (no name) – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 – Extra ‘Tools’ menuitem: Sun Java Console – {08B0E5C0-4FCB-11CF-AAA5-00401C608501} – C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 – Extra button: Research – {92780B25-18CC-41C8-B9BE-3C9C571A8263} – C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 – Extra button: Real.com – {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} – C:\WINDOWS\system32\Shdocvw.dll
    O9 – Extra button: (no name) – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 – {e2e2dd38-d088-4134-82b7-f2ba38496583} – C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 – Extra button: Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O9 – Extra ‘Tools’ menuitem: Windows Messenger – {FB5F1910-F110-11d2-BB9E-00C04F795683} – C:\Program Files\Messenger\msmsgs.exe
    O16 – DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) – http://support.dell.com/systemprofiler/SysPro.CAB
    O16 – DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} – http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O17 – HKLM\System\CCS\Services\Tcpip\Parameters: Domain = h2orange2.local
    O17 – HKLM\Software\..\Telephony: DomainName = h2orange2.local
    O17 – HKLM\System\CS1\Services\Tcpip\Parameters: Domain = h2orange2.local
    O20 – AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL c:\windows\system32\ldcore.dll
    O23 – Service: Adobe LM Service – Unknown owner – C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 – Service: AOL Connectivity Service (AOL ACS) – America Online, Inc. – C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 – Service: Ati HotKey Poller – ATI Technologies Inc. – C:\WINDOWS\system32\Ati2evxx.exe
    O23 – Service: DefWatch – Symantec Corporation – C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 – Service: dlbt_device – Dell – C:\WINDOWS\system32\dlbtcoms.exe
    O23 – Service: DSBrokerService – Unknown owner – C:\Program Files\DellSupport\brkrsvc.exe
    O23 – Service: Intel? Quick Resume Technology Drivers (ELService) – Intel Corporation – C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
    O23 – Service: Google Updater Service (gusvc) – Google – C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 – Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) – Intel Corporation – C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 – Service: InstallDriver Table Manager (IDriverT) – Macrovision Corporation – C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 – Service: Net Agent – Unknown owner – C:\WINDOWS\dls0523pmw.exe (file missing)
    O23 – Service: Intel NCS NetService (NetSvc) – Intel(R) Corporation – C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 – Service: Symantec AntiVirus Client (Norton AntiVirus Server) – Symantec Corporation – C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O24 – Desktop Component 0: (no name) – C:\Program Files\Messenger\wuoqyni.html


    End of file – 9125 bytes

All Answers

  • Author
    Replies
    • #2634189

      Clarifications

      by dwebber ·

      In reply to Nebuler Trojan

      Clarifications

    • #2635498

      A few Jump Out

      by ic-it ·

      In reply to Nebuler Trojan

      WinAntiSpyware 2007 – Malware get rid of it.
      C:\WINDOWS\TEMP\win12F3.tmp.exe
      O4 – HKLM\..\Run: [zjgyrzdA] C:\WINDOWS\zjgyrzdA.exe
      O4 – HKLM\..\Run: [Salestart] “C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe”
      O4 – HKLM\..\Run: [g4356cbvy63] C:\WINDOWS\g4356cbvy63
      O23 – Service: Net Agent – Unknown owner – C:\WINDOWS\dls0523pmw.exe (file missing)

      Questionable;
      O4 – HKLM\..\Run: [{C9-93-38-8D-ZN}] c:\windows\system32\mkdsregl.exe SKY009
      O4 – HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\nwinlndt.exe SKY009
      O4 – HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310

      I would download and update Spybot Search and Destroy (don’t be fooled by a pay version, this is free), AdAware and AVG.
      Then boot to Safe Mode w/Cmd prompt (at prompt type explorer.exe for a GUI) and run each.

    • #2635426

      This is Symantec’s recommended removal procedure

      by older mycroft ·

      In reply to Nebuler Trojan

    • #2635229

      Thanks

      by dwebber ·

      In reply to Nebuler Trojan

      Thank you so much for your help. I got rid of the Nebular trojan by pretty much combining solutions i found. What i did was i booted in safe mode, stop the process from running, then in the registry deleted the registry that it created (if you want to know its, Local machine, software, microsoft, Windows NT, current version, winlogon, notify, win{three random letters or numbers}32.exe: it also makes a subregistry folder at Local machine, software, microsoft, MSSGNR: Then i went to find the dll file in the system32 folder, it could not be deleted so i changed the name of it and then reran Symantecs and it found it and quarentined it so it is now removed.

Viewing 3 reply threads