Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ahnrpta.exe Trojan, possibly others


  • Please log in to reply
1 reply to this topic

#1 YoYoClock

YoYoClock

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 22 February 2009 - 07:10 AM

I had a virus called amvo.exe, and I think I manually deleted that, but now I have something called Ahnrpta.exe running quite often, I've googled it and been told it's a trojan. When I open a drive in windows explorer, it opens in a new window, which I've read is something to do with the virus. Only today did I try and open open office writer to find that it would not open. Upon trying this with task manager open I could see that Ahnrapta.exe ran every time I tried to open the program. Also, as of yesterday when I boot my computer, just before the log in screen, I recieve a dialog box which takes up about half the screen and have only a few random characters that aren't letters, and an ok button, which I have to press to continue.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Me at 12:00:51.13 on 22/02/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.767.285 [GMT 0:00]


============== Running Processes ===============

I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
I:\WINDOWS\System32\svchost.exe -k netsvcs
I:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\Program Files\Java\jre6\bin\jqs.exe
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\AhnRpta.exe
I:\Program Files\Google\Update\GoogleUpdate.exe
I:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
I:\WINDOWS\system32\slserv.exe
I:\WINDOWS\System32\svchost.exe -k imgsvc
I:\WINDOWS\system32\Ati2evxx.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\taskswitch.exe
I:\WINDOWS\system32\ctfmon.exe
svchost.exe
I:\WINDOWS\system32\wuauclt.exe
I:\WINDOWS\System32\svchost.exe -k HTTPFilter
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\WINDOWS\system32\devldr32.exe
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Me\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
I:\Documents and Settings\Me\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: {00A6FAF1-072E-44cf-8957-5838F569A31D} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - i:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - i:\program files\java\jre6\bin\ssv.dll
BHO: {7e7f168b-0bb1-f95d-2e54-eb458107fb84} - i:\docume~1\trevor\applic~1\manage~1\peak byte.exe
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - i:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - i:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - i:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - i:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] i:\windows\system32\ctfmon.exe
mRun: [EPSON Stylus Photo RX420 Series] i:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O5 "LPT1:" /M "Stylus Photo RX420"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [CoolSwitch] i:\windows\system32\taskswitch.exe
dRun: [CTFMON.EXE] i:\windows\system32\CTFMON.EXE
dRun: [bxproxy] i:\windows\bxproxy.exe
dRun: [cdoosoft] i:\windows\system32\olhrwef.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - i:\program files\aol\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - i:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - i:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - i:\windows\system32\Shdocvw.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///I:/Program%20Files/Hide%20&%20Secret/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/SmileyCentralFWBInitialSetup1.0.0.8-2.cab
DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191770488460
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///I:/Program%20Files/Big%20City%20Adventure/Images/armhelper.ocx
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://playweb18.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} - hxxp://messenger.zone.msn.com/binary/Chess.cab57176.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - i:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - No File
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - i:\windows\system32\WPDShServiceObj.dll
SEH: hook dll rising: {bb4c402f-882a-4526-8c08-51278ea437c1} - i:\windows\system32\afmain0.dll

================= FIREFOX ===================

FF - ProfilePath - i:\docume~1\me\applic~1\mozilla\firefox\profiles\ze6a6o3t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.clockcrew.cc/talk/
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll
FF - plugin: i:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: i:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: i:\documents and settings\me\application data\mozilla\firefox\profiles\ze6a6o3t.default\extensions\yyginstantplay@yoyogames.com\plugins\NPYYGInstantPlay.dll
FF - plugin: i:\program files\google\google updater\2.4.1487.6512\npCIDetect13.dll
FF - plugin: i:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: i:\program files\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: i:\program files\unity\webplayer\loader\npUnity3D32.dll

============= SERVICES / DRIVERS ===============

R1 vcdrom;Virtual CD-ROM Device Driver;i:\windows\system32\drivers\VCdRom.sys [2001-12-19 8576]
R2 EAPPkt;Realtek EAPPkt Protocol;i:\windows\system32\drivers\EAPPkt.sys [2008-4-18 66048]
S2 gupdate1c99205675d110;Google Update Service (gupdate1c99205675d110);i:\program files\google\update\GoogleUpdate.exe [2009-2-18 133104]
S3 EL910;3Com 3CSOHO100B-TX PCI;i:\windows\system32\drivers\EL910N51.sys [2004-10-27 38400]
S3 gUSBSTOi;gUSBSTOi;\??\i:\docume~1\julie\locals~1\temp\gusbstoi.sys --> i:\docume~1\julie\locals~1\temp\gUSBSTOi.sys [?]
S3 phil2vid;Philips USB VGA Camera;i:\windows\system32\drivers\philcam2.sys [2006-12-31 173696]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;i:\windows\system32\drivers\wg111v2.sys --> i:\windows\system32\drivers\wg111v2.sys [?]
S3 se3ebus;Sony Ericsson Device 062 (WDM);i:\windows\system32\drivers\se3ebus.sys [2008-8-21 83080]
S3 se3emdfl;Sony Ericsson Device 062 USB WMC Modem Filter;i:\windows\system32\drivers\se3emdfl.sys [2008-8-21 15112]
S3 se3emdm;Sony Ericsson Device 062 USB WMC Modem Driver;i:\windows\system32\drivers\se3emdm.sys [2008-8-21 108552]
S3 se3emgmt;Sony Ericsson Device 062 USB WMC Device Management Drivers (WDM);i:\windows\system32\drivers\se3emgmt.sys [2008-8-21 100360]
S3 se3eobex;Sony Ericsson Device 062 USB WMC OBEX Interface;i:\windows\system32\drivers\se3eobex.sys [2008-8-21 98568]
S3 SjyPkt;SjyPkt;i:\windows\system32\drivers\SjyPkt.sys [2008-4-18 13532]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-21 20:18 <DIR> --d----- i:\docume~1\alluse~1\applic~1\SITEguard
2009-02-21 20:16 <DIR> --d----- i:\program files\common files\iS3
2009-02-21 20:16 <DIR> --d----- i:\docume~1\alluse~1\applic~1\STOPzilla!
2009-02-21 20:06 <DIR> --d----- i:\program files\Trend Micro
2009-02-21 13:52 107,796 ---shr-- I:\2fiy.bat
2009-02-20 10:57 106,970 ---shr-- I:\w2.com
2009-02-18 16:36 54,156 a---h--- i:\windows\QTFont.qfn
2009-02-18 16:36 1,409 a------- i:\windows\QTFont.for
2009-02-17 16:10 106,861 ---shr-- I:\cv22.cmd
2009-02-17 09:58 107,564 ---shr-- I:\hyetn1i.exe
2009-02-16 17:33 <DIR> --d----- i:\program files\Devkitpro
2009-02-15 23:53 <DIR> --d----- i:\program files\Sun
2009-02-15 23:48 <DIR> --d----- i:\documents and settings\me\.SunDownloadManager
2009-02-15 10:04 106,803 ---shr-- I:\qphdin.com
2009-02-14 15:17 69,120 a------- i:\windows\AhnRpta.exe
2009-02-13 20:08 107,796 ---shr-- i:\windows\system32\olhrwef.exe
2009-02-13 19:52 <DIR> --d----- I:\RegUnlocker Backups
2009-02-13 00:14 107,898 ---shr-- I:\ur0.com
2009-02-12 23:52 <DIR> --d----- i:\docume~1\me\applic~1\OpenOffice.org
2009-02-12 23:29 <DIR> --d----- i:\program files\OpenOffice.org 3
2009-02-10 15:42 108,067 ---shr-- I:\opgde.exe
2009-02-10 12:26 109,006 ---shr-- I:\2aaxaiy.exe
2009-02-08 20:43 91,648 -------- i:\windows\system32\nmdfgds0.dll
2009-02-07 14:48 107,874 ---shr-- I:\1utbfd.bat
2009-02-07 12:15 106,295 ---shr-- I:\ioockw.bat
2009-02-07 12:14 89,600 ---shr-- i:\windows\system32\optyhww1.dll
2009-02-06 13:47 108,562 ---shr-- I:\m0vnonh.bat
2009-02-03 19:14 106,827 ---shr-- I:\ft96s.exe
2009-02-03 14:41 108,836 ---shr-- I:\pook.com
2009-02-02 09:08 106,771 ---shr-- I:\jr6.com
2009-02-01 20:49 <DIR> --d----- i:\program files\SetupGplBarb
2009-02-01 20:44 109,930 ---shr-- I:\a2h2.com
2009-01-30 14:59 109,127 ---shr-- I:\hl80c6b1.com
2009-01-30 13:01 108,861 ---shr-- I:\8.bat
2009-01-29 19:09 <DIR> --d----- i:\program files\Macromedia
2009-01-29 14:35 91,648 ---shr-- i:\windows\system32\nmdfgds2.dll
2009-01-25 20:27 106,648 ---shr-- I:\x.cmd
2009-01-23 19:27 108,512 ---shr-- I:\uvsqfgwd.cmd
2009-01-23 15:35 105,335 ---shr-- I:\imo.exe

==================== Find3M ====================

2009-02-21 13:52 91,648 ---shr-- i:\windows\system32\nmdfgds1.dll
2009-02-12 00:55 121,662 ---shr-- i:\windows\system32\amvo.exe
2009-02-12 00:54 106,295 ---shr-- i:\windows\system32\urretnd.exe
2009-02-11 16:06 84,992 ---shr-- i:\windows\system32\cvnmhg0.dll
2009-02-09 18:34 89,600 ---shr-- i:\windows\system32\optyhww0.dll
2009-01-22 22:39 107,882 ---shr-- I:\w98.com
2009-01-22 15:43 84,992 ---shr-- i:\windows\system32\cvnmhg1.dll
2009-01-21 11:20 108,869 ---shr-- I:\gy.exe
2009-01-19 22:57 106,526 ---shr-- I:\gfqgq.cmd
2009-01-19 22:48 104,907 ---shr-- I:\v63enh.exe
2009-01-07 21:34 121,662 ---shr-- I:\wqesvxa.exe
2009-01-06 14:03 7,819 a------- i:\windows\system32\k86.bin
2009-01-05 22:36 143,349 a------- i:\windows\system32\adrnln.bin
2009-01-05 21:18 10,312 a------- i:\windows\system32\d3d9caps.dat
2008-12-20 23:15 826,368 a------- i:\windows\system32\wininet.dll
2008-12-14 17:22 346,112 a------- I:\Default.dll
2008-11-25 15:44 410,976 a------- i:\windows\system32\deploytk.dll
2008-06-16 23:32 604 a---h--- i:\program files\STLL Notifier

============= FINISH: 12:01:42.98 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,646 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:08:14 PM

Posted 03 March 2009 - 06:48 PM

hi YoYoClock,

You have malware. I would use this machine as little as possible until clean-- and when not in use pull the plug so there is no internet connectivity. And no personal/financial info.

still need help? we will get a download to use first, then you can do a online scan.

the download:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply

After the reboot, do the online scan here and post its log also:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

How Can I Reduce My Risk to Malware?





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users