Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-spy.gampass


  • This topic is locked This topic is locked
2 replies to this topic

#1 espinozarenata

espinozarenata

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:24 PM

Posted 16 December 2008 - 11:17 AM

Everytime I run the Spyware Doctor I get the Trojan-spy.gampass infection and even when the Spyware Doctor says it was cleaned after I restart the computer the worm stills there.

I would appreciate any help you can provide me to remove this worm.


DDS (Version 1.1.0) - NTFSx86
Run by renata.espinoza at 9:56:23.09 on Tue 12/16/2008
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.52.1033.18.2814.2072 [GMT -6:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\IBM\SDP70Shared\AgentController\bin\ACWinService.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Program Files\IBM\SDP70Shared\AgentController\bin\tptpProcessController.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SysAid\IliAS.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mx One\mogtr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Acer\Acer Bio-Protection fingerprint solution\PdtWzd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\j2re1.4.2_18\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\DOCUME~1\RENATA~1.ESP\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\renata.espinoza\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Pounce Consulting
uStart Page = hxxp://www.google.com/
uURLSearchHooks: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - c:\program files\aim search\AOLSearch.dll
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {1E9FB1C4-F40B-4E10-898E-D6209B122F6B} - c:\program files\ibm\sdp70\functionaltester\bin\RTXIEEnabler.dll
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - c:\program files\aim search\AOLSearch.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [vamsoft] c:\windows\system32\vamsoft.exe
mRun: [Mx_One_Guardian_Tiempo_Real] c:\program files\mx one\mogtr.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [ZPdtWzdVitaKey MC3000] "c:\program files\acer\acer bio-protection fingerprint solution\PdtWzd.exe" show
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\j2re1.4.2_18\bin\jusched.exe"
mRun: [Client Access Service] "c:\program files\ibm\client access\cwbsvstr.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{24c67b54-0718-445e-b663-3138d9246bd1}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer\acer bio-protection fingerprint solution\PwdBank.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {10954C80-4F0F-11d3-B17C-00C0DFE39736} - c:\program files\acer\acer bio-protection fingerprint solution\PwdBank.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: AtiExtEvent - Ati2evxx.dll
Notify: AWinNotifyVitaKey MC3000 - c:\program files\acer\acer bio-protection fingerprint solution\WinNotify.dll
LSA: Notification Packages = scecli c:\program files\acer\acer bio-protection fingerprint solution\PwdFilter

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\renata~1.esp\applic~1\mozilla\firefox\profiles\vntype6t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava11.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava12.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava13.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava14.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJava32.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPJPI142_18.dll
FF - plugin: c:\program files\java\j2re1.4.2_18\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-12 40840]
R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2008-9-8 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2008-9-8 35712]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-9-8 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-9-8 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-9-8 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-9-8 10760]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-12 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-12 81288]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2008-9-8 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2008-9-8 49664]
R2 IBM Rational Agent Controller;IBM Rational Agent Controller;c:\program files\ibm\sdp70shared\agentcontroller\bin\ACWinService.exe [2008-11-13 69632]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-12-12 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-12-12 1079176]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe" [2008-11-14 24652]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2008-12-16 09:38 85,504 ---shr-- c:\windows\system32\vbsdfe2.dll
2008-12-12 21:49 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-12 21:49 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-12 21:49 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-12 21:49 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-12 21:49 <DIR> --d----- c:\program files\Spyware Doctor
2008-12-12 21:49 <DIR> --d----- c:\docume~1\renata~1.esp\applic~1\PC Tools
2008-12-11 12:52 <DIR> --d----- C:\Acer5520VideoDrivers
2008-12-10 08:52 107,045 ---shr-- C:\6fnlpetp.exe
2008-12-10 08:50 85,504 -------- c:\windows\system32\vbsdfe1.dll
2008-12-09 09:34 107,045 ---shr-- C:\3rl3lqbq.bat
2008-12-09 09:33 85,504 ---shr-- c:\windows\system32\vbsdfe0.dll
2008-12-09 09:33 113,878 ---shr-- c:\windows\system32\vamsoft.exe
2008-12-08 19:56 221,184 a------- c:\windows\system32\wmpns.dll
2008-12-08 19:50 <DIR> --d----- C:\spoolerlogs
2008-12-08 13:35 176,235 a------- c:\windows\system32\Primomonnt.dll
2008-12-08 13:35 <DIR> --d----- c:\windows\PrimoPDF4
2008-12-08 13:35 <DIR> --d----- c:\program files\activePDF
2008-12-08 13:11 107,045 ---shr-- C:\m9ma.exe
2008-12-05 19:18 <DIR> --d----- c:\docume~1\renata~1.esp\applic~1\Stellent
2008-12-02 15:09 279 a------- C:\Shortcut to Local Disk ©.lnk
2008-12-01 16:42 <DIR> --d----- C:\Backup
2008-11-26 16:09 230 a------- c:\windows\system32\spupdsvc.inf
2008-11-20 18:05 <DIR> --d----- c:\documents and settings\renata.espinoza\DownloadDirector
2008-11-19 09:57 138 a------- c:\windows\ODBC.INI
2008-11-19 09:44 <DIR> --d----- c:\documents and settings\renata.espinoza\.vec
2008-11-19 09:40 722,192 a------- c:\windows\system32\vb40032.dll
2008-11-19 09:40 290,816 a------- c:\windows\system32\gsw32.exe
2008-11-19 09:40 253,952 a------- c:\windows\system32\grdkrn32.dll
2008-11-19 09:40 69,632 a------- c:\windows\system32\gswdll32.dll
2008-11-19 09:40 27,648 a------- c:\windows\system32\hlp95en.dll
2008-11-19 09:40 307,251 a------- c:\windows\system32\cwbaffax.dll
2008-11-19 09:40 20,480 a------- c:\windows\gsk7bui.exe
2008-11-19 09:40 1,036,339 a------- c:\windows\system32\cwbzzodb.dll
2008-11-19 09:40 507,954 a------- c:\windows\system32\cwbodbc.dll
2008-11-19 09:40 360,499 a------- c:\windows\system32\cwbtfcrt.dll
2008-11-19 09:40 663,603 a------- c:\windows\system32\cwbtfutl.dll
2008-11-19 09:40 221,235 a------- c:\windows\system32\cwbtfdlg.dll
2008-11-19 09:39 40,960 a------- c:\windows\system32\pcmfcenu.dll
2008-11-19 09:38 89,600 a------- c:\windows\system32\grid32.ocx
2008-11-19 09:38 36,915 a------- c:\windows\system32\cwbsotdc.dll
2008-11-19 09:36 306,688 a------- c:\windows\IsUninst.exe
2008-11-18 09:33 <DIR> --d----- c:\documents and settings\renata.espinoza\.dia
2008-11-18 09:33 <DIR> --d----- c:\program files\Dia
2008-11-18 09:23 <DIR> --d----- c:\documents and settings\renata.espinoza\MTA
2008-11-17 13:06 <DIR> --d----- c:\program files\common files\IdcShared
2008-11-17 13:06 <DIR> --d----- c:\program files\Stellent Desktop
2008-11-17 12:35 61,555 a------- c:\windows\system32\jpicpl32.cpl
2008-11-17 12:31 <DIR> --d----- c:\program files\Juniper Networks
2008-11-17 12:30 <DIR> --d----- c:\docume~1\renata~1.esp\applic~1\Juniper Networks

==================== Find3M ====================

2008-12-06 04:32 104,421 ---shr-- C:\2u.com
2008-11-13 16:16 48,640 a------- c:\windows\system32\libfdnvin.dll
2008-10-24 05:21 455,296 a------- c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 06:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 19:00 666,112 a------- c:\windows\system32\wininet.dll
2008-10-03 04:02 247,326 a------- c:\windows\system32\strmdll.dll

============= FINISH: 9:56:53.28 ===============

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 16 December 2008 - 12:08 PM

Hi,

Your version of AVG is way outdated. Please uninstall AVG 7 and redownload the latest version AVG 8 and install it.
Make sure the database is up to date.
Then perform a full scan with it and let it quarantine everything it is finding.
Reboot afterwards.

After reboot, * Download next removal tool to your desktop:
http://www.techsupportforum.com/sectools/s...Disinfector.exe
If you have any flashdrives being used previously, since this is a flashdrive infection, insert your flashdrive as well, because above tool will disinfect it as well.
Then doubleclick the Flash_Disinfector.exe to run the tool.
Your desktop and icons will disappear afterwards. This is normal.
When the tool has finished, reboot your computer.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:09:24 PM

Posted 07 January 2009 - 06:48 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users