Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Multi-named Virus/trojan


  • This topic is locked This topic is locked
10 replies to this topic

#1 chris_9

chris_9

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 15 August 2008 - 11:21 PM

Sys info:
P4 1.6 Ghz
768 MB RAM
XP home Ver 2002, SP3 Up to date
running ZoneAlarm (free version) and AVG (free version) and have scanned with BitDefender, AdAware and SpyBot Search and Destroy.

Starting mid June, AVG intermittently pop's up and notifies there is a virus/trojan. I click heal and sometimes a small window pop's up showing it failed to heal and other times nothing happens and I assume AVG did its thing and healed/deleted the threat. Low and behold a few days or a few hours later, there's the warning again. There's no apparent pattern and it doesn't appear to be a severe threat, however ...

Anyway, the file AVG keeps flagging as the culprit appears to be renaming itself as A00085xx.xxx where the extension is .dll or .exe or .com and the 00085 is incremental because so far they are from A0008519.xxx to A0008575.xxx. The location is at c:\System Volume Information\_restore{ long hex number}\RP43\A00085xx.xxx.

I tried browsing that location but I wasn't permitted to see that folder despite full admin privileges ??? hmm, strange ... I assume this is where AVG is killing the infection and the process is replicating itself and the cycle repeats with a new filename.

AVG sometimes calls the infection/Trojan horse "Generic.KFR" or "Downloader.Small.5.AI" or "Dropper.Exehind", among others.

Anyway, onto the HJT log and we'll see where we go from there.

BIG THANKS AHEAD OF TIME

It has taken a while to get to this point and if the steps taken so far have cleared the issue then please let me know if all's well as this pesky intermittent AVG notice is the only issue the system has been having so I'll knock on wood for now and see where this takes us. How's that for a run-on sentence?


=========================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:57 PM, on 8/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\mozilla.org\SeaMonkey\seamonkey.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [pdfFactory Dispatcher v3] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis3a.exe" /source=HKLM
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{72759FF6-824B-49B3-86BD-89005AF6176B}: NameServer = 209.171.52.133 66.38.173.67
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7043 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 15 August 2008 - 11:28 PM

Hello chris_9,

Welcome to Bleeping Computer :)

Your HijackThis log looks all right, but since you were infected, there are going to be items that remain in System Restore. Those are NO threat to you, however, and we can clear those right now. :thumbsup:

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it ( something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Let me know if that takes care of the problem, and NO run on sentences this time, or no soup for you!! :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 chris_9

chris_9
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 15 August 2008 - 11:53 PM

BIG THANKS for the response.

Time will tell if it comes back ... it has been an intermittent problem which only started recently.

I performed your instructions without incident.

BTW, all these other programs (I've only ever been running with ZoneAlarm-free ver. and AVG-free ver.) that I downloaded and are running: SpyBot and AdAware, can I turn them off/delete them or is it best to have a slower system and keep them up and running? 'Cuz I hate loosing the resourses. Or am I making too much of it?

The other issue is I'm in the sticks and am only on dial-up so you could imagine the joy I've had over the past couple of days getting all those tools etc.

Thanks again.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 16 August 2008 - 12:03 AM

Hi there,

So that took care of the problem you mentioned? :) You're most welcome.

I feel for you. :thumbsup: It wasn't too long ago that I was still suffering through dialup. It's awful.

ZA is a pretty heavy program. You say you have the free version, right? How about testing a different firewall and see if it helps with the speed a bit? I use Comodo, and I don't have the fastest system in the universe. http://comodo.com If you decide to try it, just be sure to only run one at a time, or you'll run even slower. In fact, I would recommend uninstalling ZA all together while you're testing Comodo. AdAware......it's okay, but I think Spybot, your AVG, and a firewall will do just as well without it. It just isn't what it used to be. As far as everything else, I don't see that you can pare down your startups any more than you already have to give you any more speed.

Let me know how you come out, and if you have any other questions. :)

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 chris_9

chris_9
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 16 August 2008 - 01:05 AM

"Let me know how you come out, and if you have any other questions."

re other questions ... after complying with all the required steps at the beginning, the system is automatically launching and dialing the dial-up connection on every re-boot. I can't trace wich proceedure is doing it but I want it to stop. Could it have been one of the things I did in the "read this topic before posting a log" instruction? It must have been 'cuz it only started when I started fiddlin' .....

Thanks for everything else ... haven't gotten an AVG warning yet ... fingers crossed.

by for now.

Edited by chris_9, 16 August 2008 - 01:06 AM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 16 August 2008 - 03:58 AM

It's a setting. Try this : Go to Network Connections, click on Advanced, and you should see Dial Up Preferences. Click on the one that says "never dial a connection" or something similar. Let me know. :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 chris_9

chris_9
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 16 August 2008 - 09:45 AM

Thanks tea,

I'm pretty sure I want to keep that at "always dial my default connection." Else, when I launch SeaMonkey, I don't use IE, though it happens with IE as well, the browser just sits there waiting. Set to "always dial my ..." when I launch a browser, the dial-up connection sub-window appears and I simply "dial".

The problem is on boot, if I just simply boot the system and wait ... I don't even launch a browser or any other program ... some process is launching the dial-up connection and actually dialing. I can hear the modem as per norm when I manualy dial. This is what is undesireable.

I'm thinking I sould post in an appropriate forum for that one and let's just end this thread if you can't think of how to fix.

Again, big thanks

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 16 August 2008 - 03:49 PM

some process is launching the dial-up connection and actually dialing.

Try it, what I told you....that's what I was telling you would fix it. :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 chris_9

chris_9
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Local time:06:29 PM

Posted 17 August 2008 - 11:43 PM

Rats,

I should have bet ya ... lol .... yeah, no, it didn't work as I suspected .....

... I'll just repost in a proper forum. But great thanks anyway. I haven't had the pop up's happen again yet so thumbs up there.

thanks

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 18 August 2008 - 02:00 AM

Heh......well one can hope. Sorry that wasn't it. I do still think it's a setting, and I'm glad the other problems have stayed away. :thumbsup: Thanks for getting back and letting me know. :)

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:29 PM

Posted 11 September 2008 - 05:20 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users