Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TROJAN virus unsolicited


  • This topic is locked This topic is locked
4 replies to this topic

#1 kathiev

kathiev

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:07 AM

Posted 31 December 2008 - 08:20 PM

DS (Version 1.1.0) - NTFSx86
Run by Owner at 19:39:42.87 on Wed 12/31/2008
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.89 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\Internet Antivirus Pro\IAPro.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com
uInternet Settings,ProxyOverride = <local>;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: TeacherTube Toolbar: {ad457467-1e66-4ec6-b89d-dd33339cfecb} - c:\program files\teachertube\tbTeac.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: TeacherTube Toolbar: {ad457467-1e66-4ec6-b89d-dd33339cfecb} - c:\program files\teachertube\tbTeac.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: TeacherTube Toolbar: {ad457467-1e66-4ec6-b89d-dd33339cfecb} - c:\program files\teachertube\tbTeac.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Microsoft Windows logon process] c:\documents and settings\owner\application data\microsoft\windows\winlogon.exe
uRun: [Internet Antivirus Pro] "c:\program files\internet antivirus pro\IAPro.exe" /s
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [StatusClient] c:\program files\hewlett-packard\toolbox2.0\apache tomcat 4.0\webapps\toolbox\statusclient\StatusClient.exe /auto
mRun: [TomcatStartup] c:\program files\hewlett-packard\toolbox2.0\hpbpsttp.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\forget~1.lnk - c:\program files\mindscape\agspirit\PMREMIND.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: Add to AMV Converter... - c:\program files\mp3 player utilities 4.15\amvconverter\grab.html
IE: Add to Media Manager... - c:\program files\mp3 player utilities 4.15\mediamanager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-20 97928]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-20 26824]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-3 875288]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-3 231704]
R2 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-5-20 76040]
R2 ITGrdEngine;Guard Service;c:\documents and settings\owner\local settings\application data\microsoft\windows\services.exe [2008-12-31 200192]

=============== Created Last 30 ================

2008-12-31 18:56 <DIR> a-dshr-- C:\cmdcons
2008-12-31 17:14 161,792 a------- c:\windows\SWREG.exe
2008-12-31 17:14 98,816 a------- c:\windows\sed.exe
2008-12-31 16:16 <DIR> --d----- c:\docume~1\owner\applic~1\Internet Antivirus Pro
2008-12-31 16:15 <DIR> --d----- c:\program files\Internet Antivirus Pro
2008-12-31 05:49 2,087,005 a------- c:\program files\common files\InternetAntivirusPro.exe
2008-12-31 05:36 34,816 a------- c:\program files\common files\file.exe
2008-12-30 15:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sandlot Games
2008-12-30 15:02 <DIR> --d----- c:\program files\Westward
2008-12-20 10:49 <DIR> --d----- c:\program files\Airport Mania - First Flight
2008-12-19 14:14 <DIR> --d----- c:\docume~1\owner\applic~1\World-LooM
2008-12-19 14:14 4,096 a------- c:\windows\d3dx.dat
2008-12-19 11:32 <DIR> --d----- c:\docume~1\owner\applic~1\CatmoonGames
2008-12-19 11:31 <DIR> --d----- c:\program files\Floating Kingdoms
2008-12-13 21:31 <DIR> --d----- c:\program files\LucasArts
2008-12-09 16:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trymedia
2008-12-09 16:27 <DIR> --d----- c:\program files\Yahoo! Games
2008-12-07 07:59 <DIR> --d----- c:\program files\iPod
2008-12-07 07:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 17:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fugazo
2008-12-06 17:37 <DIR> --d----- c:\program files\FishCo

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-07-07 12:16 2,583 a------- c:\program files\Uninst.isu
2008-05-22 17:03 0 ac------ c:\program files\FileZilla_3.0.10_win32-setup.exe
1998-09-02 08:51 21,057,052 a------- c:\program files\Ag10dsa.tdt
1998-09-02 08:51 943,104 a------- c:\program files\Ag10dsa.kdr
1998-09-02 08:51 448,681 a------- c:\program files\Ag10dsa.idt
1998-09-02 08:51 267,264 a------- c:\program files\Ag10dsa.cdr
1998-09-02 08:51 50,710 a------- c:\program files\Ag10dsa.bdt
1998-09-02 08:51 20,284 a------- c:\program files\Ag10dsa.tdr
1998-09-02 08:51 20,284 a------- c:\program files\Ag10dsa.idr
1998-09-02 08:51 8,507 a------- c:\program files\Ag10dsa.bdr
1998-06-25 12:29 262 -----r-- c:\program files\Ag10dsa.ini
2008-05-20 14:58 16,384 ac-sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-20 14:58 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-20 14:58 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008052020080521\index.dat
2008-05-20 14:58 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 19:40:01.09 ===============

BC AdBot (Login to Remove)

 


#2 Deacon10

Deacon10

  • Members
  • 240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Area Florida
  • Local time:08:07 AM

Posted 01 January 2009 - 12:21 PM

"Welcome to BleepingComputer.com"

I'm Deacon10 or Larry if you prefer and will be working with you to resolve your problems. I am reviewing your log which requires an amount of research, so please be patient.
Just a few notes I tell everybody I work with:
  • Please reply to this thread. Do not start a new topic.
  • If you have any questions or don't understand something please stop and ask before you proceed.
  • Please set aside enough time to complete all the steps in each post and follow these instructions in the order stated.
  • Please don't run any extra "scans or fix" programs not requested by me, it could change the results in the reports I request.
  • If you have circumstances that you are aware of that will delay your response, then please let me know. This is to insure that your topic remains open.
  • Please continue here with me until I tell you your system is free from malware. :thumbsup:
    Just because a symptom disappears does not mean your system is clean.
  • The following fix is specifically designed for this users post and this machine only!

Deacon10

"Hindsight explains the injury that foresight would have prevented”

#3 Deacon10

Deacon10

  • Members
  • 240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Area Florida
  • Local time:08:07 AM

Posted 02 January 2009 - 12:42 PM

Hi kathiev,

:)
I don't see a firewall installed on your system.
Windows firewall is a one-way firewall and is limited. A Bi-directional firewall allows you to monitor data in both directions. If you do not have a firewall, I suggest you download and install one of these:

COMODO

KERIO 2.1.5

See, Understanding and Using Firewalls

:)
Download Malwarebytes' Anti-Malware from HERE or from HERE

Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware; then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform full scan"; then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad. You may be prompted to Restart (See Extra Note).
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

:thumbsup:
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt will be maximized and info.txt will be minimized)
Post back with:
MBAM Log
RSIT log.txt
RSIT info.txt

Please add a description of how your system is operating

Deacon10

"Hindsight explains the injury that foresight would have prevented”

#4 Deacon10

Deacon10

  • Members
  • 240 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa Area Florida
  • Local time:08:07 AM

Posted 11 January 2009 - 09:21 AM

Hi kathiev,
I would like to know if you still need our support regarding this problem?

Larry
Deacon10

"Hindsight explains the injury that foresight would have prevented”

#5 harrythook

harrythook


  • Security Colleague
  • 4,152 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Philadelphia
  • Local time:08:07 AM

Posted 13 January 2009 - 08:47 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.
All others please read The Preparation Guide before starting your topic.

Veni Vidi Vici
THE FIGHT AGAINST MALWARE

Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users