Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan virus


  • This topic is locked This topic is locked
1 reply to this topic

#1 momtopeyton

momtopeyton

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 27 October 2008 - 10:52 AM

I have done all 5 steps required before posting. I originally posted last Wednesday and never received a response. Please help.
Trojan Agent ukr in system 32

Here is my Hijack This log file
I am getting a trojan win32 agent ukr virus error from avg
I have tried SD Fix but it will not open properly in Safe Mode. Also tried command prompt to open sdfix. It opened but did not run any type of scan..
Please let me know what I should do.

Active Scan Results:

;*******************************************************************************
********************************************************************************
********************
ANALYSIS: 2008-10-23 12:54:30
PROTECTIONS: 1
MALWARE: 17
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
********************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
====================
Windows Defender 1.1.4005.0 No No
;===============================================================================
================================================================================
====================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
====================
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader
00027660 adware/savenow Adware No 0 Yes No hkey_local_machine\software\classes\runmsc.loader.1
00027660 adware/savenow Adware No 0 Yes No HKEY_CLASSES_ROOT\Interface\{c285d18d-43a2-4aef-83fb-bf280e660a97}
00027660 adware/savenow Adware No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00027660 adware/savenow Adware No 0 Yes No hkey_classes_root\clsid\{9f95f736-0f62-4214-a4b4-caa6738d4c07}
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@trafficmp[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\billy_and_kara@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@mediaplex[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\billy_and_kara@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@ad.yieldmanager[3].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@apmebf[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@apmebf[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@advertising[2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@statse.webtrendslive[2].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@ads.pointroll[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@ads.pointroll[2].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@adrevolver[3].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@adrevolver[2].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Users\billy and kara\AppData\Roaming\Microsoft\Windows\Cookies\Low\billy_and_kara@enhance[2].txt
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\apps\Cghtme.exe
03738686 Generic Malware Virus/Trojan No 0 No No C:\Users\billy and kara\Downloads\SDFix.exe[C:\Users\billy and kara\Downloads\SDFix.exe][SDFix\catchme.exe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\Users\billy and kara\Downloads\SDFix.exe[C:\Users\billy and kara\Downloads\SDFix.exe][SDFix\apps\Cghtme.exe]
03738686 Generic Malware Virus/Trojan No 0 Yes No C:\SDFix\catchme.exe
;===============================================================================
================================================================================
====================
SUSPECTS
Sent Location
U���q s5
;===============================================================================
================================================================================
====================
;===============================================================================
================================================================================
====================
VULNERABILITIES
Id Severity Description
U���q s5
;===============================================================================
================================================================================
====================
;===============================================================================
================================================================================
====================

Hijack This Log File

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:44 PM, on 10/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Users\billy and kara\Downloads\windows-kb890830-v2.3.exe
c:\80bdc7506bf3b0400f\mrtstub.exe
C:\Windows\system32\MRT.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://l.yimg.com/jh/games/web_games/popca...aploader_v6.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

BC AdBot (Login to Remove)

 


#2 momtopeyton

momtopeyton
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:07:05 PM

Posted 28 October 2008 - 08:08 AM

After waiting a week with no reply, I did a system recovery. I was hoping I wouldn't have to do that, but without any advice, I didn't know what else to do. Please close this thread.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users