Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:small-fdp[trj] And Possible Others


  • This topic is locked This topic is locked
2 replies to this topic

#1 12evolt

12evolt

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:11 PM

Posted 03 June 2008 - 12:47 AM

After surfing the web earlier today, my Avast AV popped up saying a trojan had been detected (the Win32:Small-FDP[trj]). I chose delete and all seemed well, but my desktop was changed to a blue screen with a blue and yellow box saying: "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer. "; it also changed my screen saver to a blue screen with cockroaches.

I promptly ran a thorough scan via avast, but to no avail. Afterwards, I downloaded ATF cleaner and cleared everything and rebooted...but no luck there. Following that and getting frustrated, I downloaded and did full scans with Spybot S&D, SUPERAntiSpyware, Malewarebytes' Anti-Malware, Deckard's System Scanner, and finally ComboFix with still no results (uninstalled TeaTimer before running the latter ones as recommended).

Here are the latest logs:


Deckard's System Scanner v20071014.68
Run by User on 2008-06-03 00:18:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:55 AM, on 6/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\S24EvMon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Dell TrueMobile 5100\GPRSMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RegSrvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\lphccjuj0ela3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\DOCUME~1\User\Desktop\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F1 - win.ini: run= C:\WESTWOOD\REDALERT\INSTICON.EXE
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [GC75-Manager-Class] "C:\Program Files\Dell TrueMobile 5100\GPRSMgr.exe" -startup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lphccjuj0ela3] C:\WINDOWS\system32\lphccjuj0ela3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Documents and Settings\User\Desktop\HijackThis.exe /startupscan
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1124717217168
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6083 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-03 00:09:03 68096 --a------ C:\WINDOWS\zip.exe
2008-06-03 00:09:03 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-03 00:09:03 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-03 00:09:03 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-03 00:09:03 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-03 00:09:03 98816 --a------ C:\WINDOWS\sed.exe
2008-06-03 00:09:03 80412 --a------ C:\WINDOWS\grep.exe
2008-06-03 00:09:03 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-02 22:31:36 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-02 22:27:34 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-06-02 22:27:34 0 d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2008-06-02 19:44:09 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-06-02 19:43:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-02 19:43:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-02 19:33:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 17:20:01 0 d-------- C:\WINDOWS\Caps
2008-06-02 16:00:52 52736 --a------ C:\WINDOWS\system32\blphccjuj0ela3.scr <Not Verified; Peter's Productions; Bugs!>
2008-06-02 16:00:08 93184 --a------ C:\WINDOWS\system32\lphccjuj0ela3.exe
2008-06-02 03:43:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-02 03:43:19 0 d-------- C:\Documents and Settings\User\Application Data\Azureus
2008-05-23 21:28:46 0 d-------- C:\Documents and Settings\User\Application Data\mIRC
2008-05-23 21:28:45 0 d-------- C:\Program Files\mIRC
2008-05-12 21:20:03 0 d-------- C:\Documents and Settings\User\Application Data\U3


-- Find3M Report ---------------------------------------------------------------

2008-06-02 22:26:59 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-02 03:50:55 0 d-------- C:\Program Files\MtG Editor
2008-06-01 23:44:58 0 d-------- C:\Program Files\Steam
2008-06-01 17:56:56 0 d-------- C:\Documents and Settings\User\Application Data\Ruckus Network
2008-05-29 23:23:07 0 d-------- C:\Documents and Settings\User\Application Data\goombah
2008-05-16 00:55:53 0 d-------- C:\Documents and Settings\User\Application Data\.purple
2008-05-02 14:25:37 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2008-04-12 20:24:37 0 d-------- C:\Program Files\Java
2008-04-06 16:41:29 0 d-------- C:\Documents and Settings\User\Application Data\gtk-2.0
2008-04-05 01:53:19 0 d-------- C:\Program Files\Pidgin
2008-04-05 01:53:18 0 d-------- C:\Program Files\Aspell
2008-04-05 01:51:03 0 d-------- C:\Program Files\Common Files
2008-04-05 01:51:03 0 d-------- C:\Program Files\Common Files\GTK
2008-04-05 01:45:22 0 d-------- C:\Program Files\Common Files\AOL


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [10/17/2002 01:54 PM C:\WINDOWS\system32\carpserv.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [08/22/2002 09:28 PM]
"PCTVOICE"="pctspk.exe" [07/18/2002 07:58 PM C:\WINDOWS\system32\pctspk.exe]
"GC75-Manager-Class"="C:\Program Files\Dell TrueMobile 5100\GPRSMgr.exe" [03/27/2004 01:10 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [05/15/2008 06:19 PM]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [07/05/2005 03:32 AM]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [06/27/2005 10:31 AM]
"BCMSMMSG"="BCMSMMSG.exe" [08/29/2003 04:59 AM C:\WINDOWS\BCMSMMSG.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 12:50 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [10/31/2003 09:42 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"lphccjuj0ela3"="C:\WINDOWS\system32\lphccjuj0ela3.exe" [06/02/2008 04:00 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 07:00 AM]
"HijackThis startup scan"="C:\Documents and Settings\User\Desktop\HijackThis.exe" [06/02/2008 09:54 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\system32\LgNotify.dll 07/05/2005 03:33 AM 188482 C:\WINDOWS\system32\LgNotify.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

*Newly Created Service* - CATCHME



-- End of Deckard's System Scanner: finished at 2008-06-03 00:19:30 ------------


[Edit: Have a ComboFix log, but "DO NOT post a ComboFix log unless requested to."]


Any timely help would be greatly appreciated!

Edited by 12evolt, 03 June 2008 - 12:52 AM.


BC AdBot (Login to Remove)

 


m

#2 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 29 June 2008 - 03:02 PM

HI

Sorry for the delay in responding to you, we have a long list of posters waiting for their threads to be analysed.

As it has been some time since you posted, you may have resolved your problem, please let us know if you have ?

If you still require help, Please make sure you have read this :-

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Please follow all the directions in the above thread, then come back here & copy & paste the requested updated logs... do NOT attach them

Logs requested :-

1. Deckard's System Scanner main.txt & extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post both txt files ...

2. KASPERSKY ONLINE SCANNER 7 REPORT

Please be sure to give as detailed an explanation of your problem as you can, tell us what programs you may have run whilst waiting for a reply & if you have received help elsewhere ... also any new developments with your problem ?

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:11 AM

Posted 25 July 2008 - 03:26 PM

Due to lack of feedback this topic is now closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users