Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT log file for my computer...please help !


  • This topic is locked This topic is locked
22 replies to this topic

#1 scythe

scythe

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 02 May 2005 - 02:04 PM

here's the logfile for my scan.
my avg antivirus resident shield keeps alerting me to a trojan it calls -backdoor.beastdoor.gv.
i've got these folders and files all over my computer called 'thumbs' or 'desktop'.....
also little 1kb - 6kb files dotted all around with online links to album covers, photos etc...... :thumbsup:

i've run adaware & spybot but they can't seem to detect this trojan. :inlove:

THE LOGFILE :


Logfile of HijackThis v1.99.1
Scan saved at 19:20:28, on 02/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Crazy Browser\Crazy Browser.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Sean\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.btbroadbandstart.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.btbroadbandstart.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe





am i doing this right for here ?
hope this is enough info. for someone to be able to help. :flowers:
hope to hear from someone.....thanks so much in advance ! :trumpet:

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:19 AM

Posted 02 May 2005 - 11:02 PM

Hello scythe and welcome to the BC forums. Your log does not show any signs of viruses or malware at this time. The Desktop and Thumbs files you are seeing are operating system files which are used to display files and folders in thumbnail view. There should be a set of these 2 files in every folder on the hard disk.

As for the AVG warning, it sounds like AVG is doing its job. It is warning you when a virus or infected file is present. When that happens you should have AVG quarantine the file and thus put it outside the range of any program to trigger it.

If you have any further questions feel free to post back.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 May 2005 - 06:26 AM

hi oldtimer..thanks for the reply there.

the avg resident shield warnings started suddenly yesterday and it gives the same warning : backdoor.beastdoor.gv EVERYTIME i do ANYTHING on the machine.....it might be as simple as opening windows media player or anything.

also these little files and folders marked 'thumbs' etc......suddenly appeared in all of my files/folders everywhere and there certainly was a sense of this thing spreading....the more i opened something or ran something....the more files would get infected (?)

avg also triggers on using the same application again and again too......it could be anything from playing music to using realplayer etc.....

i have p2p filesharing prog. emule running on my machine.just thought i'd mention that too.

the avg resident shield detects this backdoor.beastdoor.gv but when i run a scan on avg, cwshredder, adaware, spybot......nothing comes up.
how can avg. detect a virus in its resident shield but not have it come up on scan ?
avg is very reputed but is it any good in this case ?should i switch to some other? (but i do like my avg !!! :thumbsup: )

what do you suggest ?
its really annoying to open an application (to read my scanned comics or watch a movie etc...) and have the avg resident shield strt up and it gives at least 5 or 6 different file infected warnings EACH TIME !! & they all seem to have different names each time !

pls. advice and thank again for your time ! :flowers:

#4 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 May 2005 - 06:55 AM

bloody hell !!! whats this ! whats this ! :thumbsup:

whilst writing out my above reply to oldtimer, i had a minibrainstorm !
i thought maybe avg's doing a false alarm on me...getting caught out again & again for some reason....

so i went to folder options & sure enough ! the bloody tick mark had switched to 'show hidden files (or some such ) '......thats why i had all these 'thumbs' & stuff showing up all over the place !
i have no idea how it automatically switched !!! i didn't do it !

so i ticked 'do not show hidden files' and walla ! prolem solved ! avg's sleeping quietly and all seems to be back to normal.....FOR NOW. :flowers:

however if the folks here don't mind, i'll see how it goes and if anything goes wrong again if i may, i'd like to use your help again.
sheesh these machines !!!
why did avg report a trojan infection to me when nothing can be found in the log report ? could it be that there's something lurking there ?

******************************************

ok. somehow, it keeps switching over to 'show hidden files & folders' on its own whenever i open windows media player or any other application.
so the problem's still not solved.
and why did it suddenly start yesterday ?

any suggestions ?
what exactly is BEASTDOOR.BACKDOOR.GV ?
when resident shield triggers it gives me three options :

continue (?) , info (which if one clicks it ,it says no info available ) & go to file (which when i go to it how do i quarantine it then ? the quarantine option doesn't show up on right clicking on the file & when i get avg to scan the file, it says no virus !!! so i don't know what the hell's going on !).

how do i do this ?

'When that happens you should have AVG quarantine the file and thus put it outside the range of any program to trigger it.'

Edited by scythe, 03 May 2005 - 08:48 AM.


#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:19 AM

Posted 03 May 2005 - 09:38 AM

Hi scythe. Well, let's do a little checking. Check and see if any of the following files are found on your system:10b66ccd.exe
1159296875.dll
-1197875863.exe
1f73dc76.exe
2fa42733.exe
315207293.exe
334573e8.exe
3759739e.dll
48c06bde.exe
5808575f.exe
5cd805de.dll
738489b7.exe
-83119505.exe
857346ec.exe
91ede9dc6d61b28d16b639d764184f0f.exe
backdoor.beastdoor.17.exe
backdoor.beastdoor.201.a.exe
backdoor.beastdoor.201.b.exe
backdoor.beastdoor.202.b.exe
backdoor.beastdoor.205[3].exe
beast.exe
c9551816f7f1d4ebb50d2a39e8fd4a23.exe
download.asp
e31554cb.exe
e4ad2f6c.exe
f61fe908.exe
fef66814.exe
file.html
me.html
me-beast.html
msassh.com
msnsetup.exe
msnsgs.exe
server.exe
unit1.pas
unit2.pas
webmsn.txt
zhortrox.exe

See what you come up with.

Cheers.

OT

Edited by OldTimer, 03 May 2005 - 09:39 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 May 2005 - 02:02 PM

hi oldtimer !

yes....i did find 8 files under the search - me.html

most of them had to something or the other to do with realplayer & one with a website.

just for the record this is how i searched :

i opened the search option (when one clicks 'start' on the bottom LHS of the screen ).....
then i set it so that it would search in all files & folders...even the hidden ones.....and then i copy/pasted each specified file into the search bar and ran the search.
thought i'd mention it because i'm not very computer literate so may have done it all wrong !!

what do i do now ?
also oddly enough, my internet connection's started acting up as well....which it very rarely does......it might be nothing connected with this but still to mention it here just so that.

thanks :thumbsup:

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:19 AM

Posted 03 May 2005 - 02:21 PM

Hi scythe. You can go ahead and delete any of the files that you found. If they were .dll files then you will need to unregister them first by doing the following:

Click Start>run, type cmd into the Open editbox and click the ok button. Navigate to the folder containing the .dll file and type the command below for each .dll file following each one by pressing the Enter key:regsvr32 /u <dll filename>
Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#8 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 May 2005 - 03:20 PM

hi oldtimer.....thanks again

the results :
this time when i searched for me.html, 19 ! files came up & the search took a lot longer for some reason...however i wasn't able to tell which ones were .dll
how do i do that ?

also in lieu of the fact that this time 19 files came up instead of the 8 which came up last time, should i run a search again for each of the files you outlined ?

so...i have deleted the 19 files that came up and just now clicked run & cmd & it went into a black screen with windows xp details and :

c:\documents and settings\sean> (a flashing cursor here)

thats it....nothing else.
is this good ?

what is me.html ?
is there a way to protect myself in the future from such a thing ?
how can avg resident shield put a name to this yet not be able to handle it when a scan is run ?

Edited by scythe, 03 May 2005 - 03:48 PM.


#9 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 03 May 2005 - 04:30 PM

nope.
the problem's still there.however at least it seems that there's less no. of times that the resident shield flashes with a warning one after the other...whereas before it was at least 6-7 times , now its 3-4 times.

also....when i run a avg scan it says in the result column for certain files - change and in the status column - changed

whats all that about ?

Edited by scythe, 03 May 2005 - 05:08 PM.


#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:19 AM

Posted 03 May 2005 - 05:14 PM

Hi scythe. Youmight not be showing all files. Repeat the search for all of the files but prior to doing so do this:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
When you search do this:

Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 06 May 2005 - 10:34 AM

the problem seems to have gone now.

i used the search method like you recommended.

thanks so much OT.
i really appreciate it. :thumbsup:

:flowers:

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:19 AM

Posted 06 May 2005 - 04:31 PM

You're very welcome scythe. I'm glad that we could help.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 14 August 2005 - 12:53 PM

hi Old Timer :thumbsup:
thanks for such a prompt and gracious reply.

before i do anything i wanted to clarify a little bit. maybe it won't change your suggestion of winpfind etc..but i'll just let you know anyway.

"it seems the backdoor.beastdoor.gv trojan has embedded itself in my windows update download files somewhere.so it doesn't allow me to download windows updates, specially security ones and avg antivirus always gives me a "backdoor.beastdoor" warning.
exactly the same warning as the earlier issue in the thread."

thats not right.i am able to download the windows update files perfectly but when it comes to installing them, it doesn't install them (windows was unable to install the following updates......etc.) and my avg antivirus kicks in with the backdoor.beastdoor warning.

so sorry....its in installing the updates not the downloading.
i don't know if this changes the suggestions you gave me so i'm just gonna wait till you give me the go ahead.
sorry for the little trouble.
thanks so much :flowers:

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:05:19 AM

Posted 15 August 2005 - 11:11 AM

Hi scythe. Go ahead and post the logs as requested. They will tell me what is going on in the operating system,

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#15 scythe

scythe
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:10:19 AM

Posted 18 August 2005 - 11:25 AM

hi OT.
sorry for the delay in the reply here.
umm......i'll tell you what i've done because whatever it is its not working yet.
1.i've downloaded winpfind (it downloads as a .rar file) into "my documents" folder.
2.i right click on it and click on "extract to winpfind\" (the fifth option down).....it extracts winpfind to a new normal folder called winpfind. (i don't have full access to .rar service so i always use this way to unzip the files.

now.

i don't know wether this is what you meant by :

Download WinPFind.zip and unzip the contents to the C:\ folder.

if not please tell me how to do it ?

3.i restart the computer and press f8.
4.use arrow keys to enable SAFE MODE
5.i can't locate c:\winpfind\winpfind.exe in there....in fact it doesn't give me any options to locate anything.the only option i get is wether to run windows xp 2000 professional (or whatever the official name of what i've got here).....

pls. advise.

thanks in advance. :thumbsup:

p.s. : btw i run hijackthis directly from my desktop shortcut icon too.......just wondering if thats correct because when i double clicked on the winpfind icon in the folder (beside the "patterns.txt" file) it gave me the option of 'start scanning' etc.......but this is inside of windows in "my documents" folder ? i hope i'm making sense !!! :flowers:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users