Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Microsoft Edge Bug Exposes Content From Other Sites via HTML5 Audio Tag

Featured Deal: Get 95% off The Complete Raspberry Pi Hacker Bundle Deal

Trojan Horse SHeur2

Started by DarkFox , Mar 25 2009 07:16 PM

This topic is locked

3 replies to this topic

#1 DarkFox

Members
2 posts
OFFLINE

Local time:06:25 PM

Posted 25 March 2009 - 07:16 PM

First time here, I thank you for your time if you came here to help me with my dilemma for something I should have been more careful about. Anyways, I think I started to notice a few days ago when I started using Firefox, a pop up would come out. I thought it was one of the regular ones, but soon found out it wasn't. One thing I noticed after a virus scan was the said viruses, but even after switching Hard Drives to scan for the ones as resources, I have turned up with 3(or more) files that refuse to remove themselves from the PC, they use rundll32.exe to start and I tried to remove them off the registry, but they write themselves back as soon as do. I still have records of the infections, but I have come sorta of to a dead end. I really might not want to resort to reformatting the Hard Drive again, seeing how I did it once before because of performance issues, where would I go from here? A Trojan Downloader Generic8 and Trojan Horse SHeur2 are involved as far as I know:

DDS (Ver_09-03-16.01) - FAT32x86
Run by DarkFoxTails at 23:31:46.31 on Tue 03/24/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.548 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

G:\WINDOWS\system32\Ati2evxx.exe
G:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
G:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
G:\WINDOWS\system32\Ati2evxx.exe
G:\Program Files\AVG\AVG8\avgrsx.exe
SVCHOST.EXE
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
G:\PROGRA~1\AVG\AVG8\avgtray.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
G:\WINDOWS\system32\svchost.exe -k imgsvc
G:\WINDOWS\system32\taskmgr.exe
G:\Program Files\Windows Live\Messenger\msnmsgr.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Program Files\Mozilla Firefox\firefox.exe
G:\Documents and Settings\DarkFoxTails\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - g:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - g:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - g:\program files\avg\avg8\avgssie.dll
BHO: {935cf0b7-eb40-ff78-f124-1139e2ef2b76}: {67b2fe2e-9311-421f-87ff-04be7b0fc539} - g:\windows\system32\izrvmh.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - g:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {a91b24b1-9e18-42ac-8e34-58568d7507a6} - g:\windows\system32\lopivasa.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - g:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - g:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - g:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Aim6]
uRun: [ctfmon.exe] g:\windows\system32\ctfmon.exe
mRun: [StartCCC] "g:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "g:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] g:\progra~1\avg\avg8\avgtray.exe
mRun: [<NO NAME>]
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [Sony Ericsson PC Suite] "g:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [Adobe_ID0EYTHM] g:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [ISUSPM] "g:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
mRun: [Xpulukuwup] rundll32.exe "g:\windows\ojatazal.dll",e
mRun: [CPM16271a57] Rundll32.exe "g:\windows\system32\hozekopo.dll",a
mRun: [47c326a8] rundll32.exe "g:\windows\system32\jaditibi.dll",b
IE: Append to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - g:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - g:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - g:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - g:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - g:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - g:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - g:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: g:\windows\system32\yetugayu.dll g:\windows\system32\rudadiza.dll g:\windows\system32\zorirako.dll izrvmh.dll g:\windows\system32\hozekopo.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - g:\windows\system32\hozekopo.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - g:\windows\system32\hozekopo.dll
LSA: Notification Packages = scecli g:\windows\system32\yetugayu.dll g:\windows\system32\rudadiza.dll g:\windows\system32\zorirako.dll

================= FIREFOX ===================

FF - ProfilePath - g:\docume~1\darkfo~1\applic~1\mozilla\firefox\profiles\bhyz71y7.default\
FF - component: g:\program files\avg\avg8\firefox\components\avgssff.dll
FF - HiddenExtension: XUL Cache: {5F13B4F9-DBC8-4505-8A77-7B8477B1D051} - g:\documents and settings\darkfoxtails\local settings\application data\{5F13B4F9-DBC8-4505-8A77-7B8477B1D051}

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;g:\windows\system32\drivers\avgldx86.sys [2009-2-7 325128]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;g:\windows\system32\drivers\avgmfx86.sys [2009-2-7 27656]
R1 AvgTdiX;AVG Free8 Network Redirector;g:\windows\system32\drivers\avgtdix.sys [2009-2-7 107272]
R2 PD91Agent;PD91Agent;g:\program files\raxco\perfectdisk2008\PD91Agent.exe [2008-1-16 664840]
S2 avg8emc;AVG Free8 E-mail Scanner;g:\progra~1\avg\avg8\avgemc.exe [2009-2-7 903960]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;g:\windows\system32\drivers\bcm42xx5.sys [2009-2-7 54271]
S3 PD91Engine;PD91Engine;g:\program files\raxco\perfectdisk2008\PD91Engine.exe [2008-1-16 894216]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);g:\windows\system32\drivers\s125bus.sys [2009-2-9 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;g:\windows\system32\drivers\s125mdfl.sys [2009-2-9 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;g:\windows\system32\drivers\s125mdm.sys [2009-2-9 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);g:\windows\system32\drivers\s125mgmt.sys [2009-2-9 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;g:\windows\system32\drivers\s125obex.sys [2009-2-9 98696]
S4 avg8wd;AVG Free8 WatchDog;g:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-7 298264]
S4 Viewpoint Manager Service;Viewpoint Manager Service;g:\program files\viewpoint\common\ViewpointService.exe [2009-2-8 24652]

=============== Created Last 30 ================

2009-03-24 23:25 <DIR> --d----- g:\program files\Trend Micro
2009-03-24 11:48 <DIR> --d----- G:\PS3ThemeCreator
2009-03-22 14:39 133,632 a------- g:\windows\ojatazal.dll
2009-03-22 14:17 43 a------- g:\windows\system32\senekaviuxrlxx.dat
2009-03-22 14:16 <DIR> --d-h--- G:\$AVG8.VAULT$
2009-03-22 14:12 5,533 a------- g:\windows\system32\senekajkjiuivk.dat
2009-03-22 13:57 3,333,428 ---sh--- g:\windows\system32\ibitidaj.ini
2009-03-22 13:57 84,992 a--sh--- g:\windows\system32\hozekopo.dll
2009-03-22 13:57 124,928 a--sh--- g:\windows\system32\izrvmh.dll
2009-03-22 13:57 79,872 a--sh--- g:\windows\system32\jaditibi.dll
2009-03-22 13:57 124,928 a--sh--- g:\windows\system32\bisomasu.dll
2009-03-22 11:54 <DIR> --d----- g:\docume~1\darkfo~1\applic~1\nidle
2009-03-22 11:39 11,168 a---h--- g:\windows\system32\hogisoma
2009-03-21 23:24 <DIR> --dsh--- G:\FOUND.004
2009-03-10 12:27 2,789,468 a------- g:\windows\system32\libmmd.dll
2009-03-04 09:50 <DIR> --d----- g:\program files\Havok

==================== Find3M ====================

2009-02-08 12:50 325,128 a------- g:\windows\system32\drivers\avgldx86.sys
2009-02-08 12:50 10,520 a------- g:\windows\system32\avgrsstx.dll
2009-02-08 12:50 107,272 a------- g:\windows\system32\drivers\avgtdix.sys
2009-02-07 19:17 410,984 a------- g:\windows\system32\deploytk.dll
2009-02-07 18:13 499,712 a------- g:\windows\system32\msvcp71.dll
2009-02-07 18:13 348,160 a------- g:\windows\system32\msvcr71.dll
2009-02-07 15:27 86,327 a------- g:\windows\pchealth\helpctr\offlinecache\index.dat
2009-02-07 14:55 21,640 a------- g:\windows\system32\emptyregdb.dat
2009-01-13 23:14 3,455,488 a------- g:\windows\system32\dllcache\ati2mtag.sys
2009-01-13 21:46 11,591,680 a------- g:\windows\system32\atioglxx.dll
2009-01-13 21:05 593,920 -------- g:\windows\system32\ati2sgag.exe
2009-01-13 20:53 286,720 a------- g:\windows\system32\atiok3x2.dll
2009-01-13 20:49 425,984 a------- g:\windows\system32\ATIDEMGX.dll
2009-01-13 20:47 323,584 a------- g:\windows\system32\dllcache\ati2dvag.dll
2009-01-13 20:47 323,584 a------- g:\windows\system32\ati2dvag.dll
2009-01-13 20:36 196,608 a------- g:\windows\system32\atipdlxx.dll
2009-01-13 20:36 151,552 a------- g:\windows\system32\Oemdspif.dll
2009-01-13 20:36 26,112 a------- g:\windows\system32\Ati2mdxx.exe
2009-01-13 20:35 43,520 a------- g:\windows\system32\ati2edxx.dll
2009-01-13 20:35 155,648 a------- g:\windows\system32\ati2evxx.dll
2009-01-13 20:34 598,016 a------- g:\windows\system32\ati2evxx.exe
2009-01-13 20:32 53,248 a------- g:\windows\system32\ATIDDC.DLL
2009-01-13 20:22 4,009,152 a------- g:\windows\system32\dllcache\ati3duag.dll
2009-01-13 20:22 4,009,152 a------- g:\windows\system32\ati3duag.dll
2009-01-13 20:05 2,500,224 a------- g:\windows\system32\dllcache\ativvaxx.dll
2009-01-13 20:05 2,500,224 a------- g:\windows\system32\ativvaxx.dll
2009-01-13 20:05 3,107,788 a------- g:\windows\system32\ativvaxx.dat
2009-01-13 20:05 3,107,788 a------- g:\windows\system32\ativva5x.dat
2009-01-13 20:05 887,724 a------- g:\windows\system32\ativva6x.dat
2009-01-13 19:50 48,640 a------- g:\windows\system32\amdpcom32.dll
2009-01-13 19:45 401,408 a------- g:\windows\system32\atikvmag.dll
2009-01-13 19:44 110,592 a------- g:\windows\system32\atiadlxx.dll
2009-01-13 19:44 17,408 a------- g:\windows\system32\atitvo32.dll
2009-01-13 19:37 307,200 a------- g:\windows\system32\atiiiexx.dll
2009-01-13 19:37 577,536 a------- g:\windows\system32\dllcache\ati2cqag.dll
2009-01-13 19:37 577,536 a------- g:\windows\system32\ati2cqag.dll
2009-01-13 18:36 45,056 a------- g:\windows\system32\amdcalrt.dll
2009-01-13 18:36 45,056 a------- g:\windows\system32\amdcalcl.dll
2009-01-13 18:34 3,227,648 a------- g:\windows\system32\Amdcaldd.dll
2009-01-12 10:16 426,960 a------- g:\windows\system32\TomsMoComp_ff.dll
2009-01-12 10:13 331,461 a------- g:\windows\system32\ff_kernelDeint.dll
2009-01-11 09:36 4,372,954 a------- g:\windows\system32\libavcodec.dll
2009-01-10 14:17 163,840 a------- g:\windows\system32\ts.dll
2009-01-10 14:16 148,480 a------- g:\windows\system32\mkx.dll
2009-01-10 14:16 108,032 a------- g:\windows\system32\avi.dll
2009-01-10 14:16 141,312 a------- g:\windows\system32\mp4.dll
2009-01-10 14:16 335,872 a------- g:\windows\system32\gdsmux.exe
2009-01-10 14:15 120,832 a------- g:\windows\system32\ogm.dll
2009-01-10 14:15 159,744 a------- g:\windows\system32\mmfinfo.dll
2009-01-10 14:15 103,424 a------- g:\windows\system32\dsmux.exe
2009-01-10 14:15 102,400 a------- g:\windows\system32\avss.dll
2009-01-10 14:15 246,784 a------- g:\windows\system32\dxr.dll
2009-01-10 14:15 97,280 a------- g:\windows\system32\avs.dll
2009-01-10 14:15 135,168 a------- g:\windows\system32\mkv2vfr.exe
2009-01-10 14:14 79,360 a------- g:\windows\system32\mkzlib.dll
2009-01-10 14:14 23,552 a------- g:\windows\system32\mkunicode.dll
2009-01-10 07:58 145,609 a------- g:\windows\system32\libmpeg2_ff.dll
2009-01-09 12:03 560,802 a------- g:\windows\system32\libmplayer.dll
2009-01-05 09:53 791,742 a------- g:\windows\system32\xvidcore.dll
2009-01-05 09:53 884,237 a------- g:\windows\system32\ff_x264.dll

============= FINISH: 23:32:17.51 ===============

Attached Files

Attach.txt 11.79KB 1 downloads

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 KoanYorel

Bleepin' Conundrum

Staff Emeritus
19,461 posts
OFFLINE

Gender:Male
Location:65 miles due East of the "Logic Free Zone", in Md, USA
Local time:09:25 PM

Posted 04 April 2009 - 05:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
Double click on the DDS icon, allow it to run.
A small box will open, with an explaination about the tool. No input is needed, the scan is running.
Notepad will open with the results.
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K

The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)