Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.qrap.b And Genpark:trojan.sillydi.50760 Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 pokemonDoom

pokemonDoom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:44 PM

Posted 28 April 2008 - 01:08 PM

I scanned my box with BitDefender 8 and it showed that I had about 14 infected files or so. It showed up as Trojan.Qrap.B and Genpark:Trojan.SillyDi50760 . I tried removing/healing the infected files with BitDefender but it didn't work . I tried every other free AV but to no avail .

I tried Kasperskys online scanning but it too long .... and i had to give it up at some point . :thumbsup:

Heres the log from DSS :

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-04-28 10:50:55
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 126 MiB (512 MiB recommended).


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:59 AM, on 4/28/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\System32\alg.exe
G:\WINDOWS\Explorer.EXE
G:\WINDOWS\System32\igfxtray.exe
G:\WINDOWS\System32\hkcmd.exe
G:\Program Files\Softwin\BitDefender8\bdnagent.exe
G:\PROGRA~1\FREEDO~1\fdm.exe
G:\WINDOWS\System32\wbem\wmiprvse.exe
G:\Documents and Settings\Administrator\Desktop\dss.exe
G:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com.np/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - G:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - G:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] G:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] G:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Free Download Manager] G:\Program Files\Free Download Manager\fdm.exe -autorun
O8 - Extra context menu item: Download all with Free Download Manager - file://G:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://G:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://G:\Program Files\Free Download Manager\dllink.htm
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - G:\Program Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - G:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/u...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5136F4B2-C73E-4896-B425-D673DEA3F531}: NameServer = 202.79.32.33 202.79.32.35

--
End of file - 2924 bytes

-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-28 10:48:16 0 d-------- G:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-28 10:48:15 0 d-------- G:\WINDOWS\System32\Kaspersky Lab
2008-04-28 10:48:12 0 d-------- G:\WINDOWS\LastGood
2008-04-28 08:26:43 14 --a------ G:\Documents and Settings\Administrator\getfile.dat
2008-04-27 23:38:13 2957 --a------ G:\Documents and Settings\Administrator\x_dtrace_log
2008-04-27 23:09:28 0 d-------- G:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-27 23:00:33 0 d-------- G:\Program Files\InCode Solutions
2008-04-27 22:21:06 0 d-a------ G:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 22:03:26 371712 --a------ G:\WINDOWS\System32\aswBoot.exe <Not Verified; ; avast! Antivirus>
2008-04-27 22:03:25 0 d-------- G:\Program Files\Alwil Software
2008-04-27 22:02:35 0 d-------- G:\WINDOWS\System32\appmgmt
2008-04-27 20:18:33 0 d-------- G:\Documents and Settings\All Users\Application Data\Avira
2008-04-27 17:59:01 0 d-------- G:\WINDOWS\Downloaded Installations
2008-04-27 17:07:44 0 d-------- G:\Documents and Settings\Administrator\Application Data\Adobe
2008-04-27 16:52:38 0 d-------- G:\Documents and Settings\Administrator\Application Data\Free Download Manager
2008-04-27 16:52:04 0 d-------- G:\Program Files\Free Download Manager
2008-04-27 10:52:18 0 d---s---- G:\Documents and Settings\Administrator\UserData
2008-04-27 10:36:57 0 d-------- G:\Program Files\Trend Micro
2008-04-27 10:00:17 14 --a------ G:\WINDOWS\System32\getfile.dat
2008-04-27 10:00:15 3137 --a------ G:\WINDOWS\System32\x_dtrace_log
2008-04-27 09:11:18 0 d-------- G:\Program Files\BitComet
2008-04-27 05:21:06 0 d-------- G:\Program Files\WinHTTrack
2008-04-21 16:28:51 0 d-------- G:\Documents and Settings\Administrator\Application Data\Help
2008-04-21 16:21:05 0 d-------- G:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-04-21 16:08:49 0 d-------- G:\Program Files\QuickTime
2008-04-21 16:08:00 0 d-------- G:\Program Files\Apple Software Update
2008-04-21 16:07:41 0 d-------- G:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-21 16:03:55 0 d-------- G:\Documents and Settings\Administrator\Application Data\vlc
2008-04-21 16:02:03 0 d-------- G:\Program Files\VideoLAN
2008-04-21 15:53:24 0 d-------- G:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-04-21 15:52:50 0 d-------- G:\Documents and Settings\Administrator\Application Data\Macromedia
2008-04-21 15:48:37 0 d-------- G:\Documents and Settings\Administrator\Application Data\COWON
2008-04-21 15:38:33 0 d-------- G:\WINDOWS\RegisteredPackages
2008-04-21 15:36:25 1703936 --a------ G:\WINDOWS\System32\d3d9.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-21 15:36:24 1769472 --a------ G:\WINDOWS\System32\dxdiagn.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-19 10:48:42 0 d-------- G:\Documents and Settings\All Users\Application Data\QuickTime
2008-03-31 09:45:49 0 d-------- G:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-31 09:45:44 0 d-------- G:\Program Files\CyberLink


-- Find3M Report ---------------------------------------------------------------

2008-04-28 08:25:40 0 d-------- G:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-27 18:25:00 0 d-------- G:\Program Files\Common Files
2008-04-21 16:05:44 0 d-------- G:\Program Files\Common Files\InstallShield
2008-04-21 16:05:26 0 d--h----- G:\Program Files\InstallShield Installation Information
2008-04-15 09:52:15 0 d-------- G:\Program Files\ffdshow
2008-04-15 09:51:36 0 d-------- G:\Program Files\XviD
2008-03-10 15:52:34 0 d-------- G:\Program Files\GraphCalc
2008-03-08 14:27:15 0 d-------- G:\Program Files\Guitar Pro 5
2008-03-05 17:38:13 0 d-------- G:\Program Files\The Princeton Review
2008-02-21 17:37:14 21640 --a------ G:\WINDOWS\System32\emptyregdb.dat
2008-02-21 09:28:38 62 --ahs---- G:\Documents and Settings\Administrator\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="G:\WINDOWS\System32\igfxtray.exe" [05/14/2002 09:29 PM]
"HotKeysCmds"="G:\WINDOWS\System32\hkcmd.exe" [05/14/2002 09:20 PM]
"QuickTime Task"="G:\Program Files\QuickTime\qttask.exe" [09/01/2006 03:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Download Manager"="G:\Program Files\Free Download Manager\fdm.exe" [08/23/2006 03:17 PM]




-- End of Deckard's System Scanner: finished at 2008-04-28 10:51:29 ------------




If you need the Logs from Kasperskys online scan I'll give it one more shot ...

Thank you in advance . :blink:

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:44 PM

Posted 15 May 2008 - 04:00 AM

Hello pokemonDoom

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to.

You posted here for help with the same issue, the forums are so busy that we cannot afford to tie up two people helping one poster with the same problem, this is what you need to do, if you want to continue here thats fine but you need to let the other forum know your being helped here so they can close that thread, or vise versa.
http://www.techsupportforum.com/security-c...di-50760-a.html

If you choose to continue here I need to see a complete Hijackthis log and also the Kaspersky log if you still have it

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:44 PM

Posted 31 May 2008 - 09:58 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users