Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple Trojans detected and can't install Spy/Malware removers!


  • This topic is locked This topic is locked
4 replies to this topic

#1 ShenanigansOKeefe

ShenanigansOKeefe

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 01 May 2009 - 03:33 AM

Hi, I'm pretty sure I've got a serious Spyware/Malware problem, which I was alerted to when I was unable to run Spybot S&D, or install new AV programs. I've checked all processes running via my task manager at the FileResearchCenter database, and sure enough some of them are coming up as being potential Trojans.

Other than being unable to install new anti-virus programs, there's only one obvious problem with my computer--every ten or so minutes, it makes a "click" noise (as if I had clicked a link, or opened a folder in explorer), and goes to desktop, making any open windows inactive and minimizing any full-screen applications to the taskbar... Needless to say this is infinitely irritating.

Anyway... Thanks in advance for taking the time to look at this. Here's the DDS log, and Attach.txt is attached.


DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 20:14:45.93 on Fri 05/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3582.2596 [GMT 12:00]

AV: AVG 7.5.557 *On-access scanning enabled* (Updated)
AV: ESET NOD32 antivirus system 2.70 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\atwtusb.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
C:\Program Files\Echovoice\Gamer Statistics\G15 Echovoice Gamer Statistics.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\WINDOWS\Philips\SPC500NC\Monitor.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Owner\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common

files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program

files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\lcdmon.exe"
mRun: [Launch LGDCore] "c:\program files\common files\logitech\g-series software\LGDCore.exe" /SHOWHIDE
mRun: [Echovoice Gamer Statistics] c:\program files\echovoice\gamer statistics\G15 Echovoice Gamer Statistics.exe
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [SPC500NC_Monitor] c:\windows\philips\spc500nc\Monitor.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\magicd~1.lnk - c:\program files\magicdisc\MagicDisc.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop

messenger\8876480\program\LogitechDesktopMessenger.exe
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop

messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\2op19epv.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com
FF - component: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\2op19epv.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\bdqscan.dll
FF - plugin: c:\documents and settings\all users\application data\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\2op19epv.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\owner\application

data\mozilla\firefox\profiles\2op19epv.default\extensions\battlefieldheroespatcher@ea.com\platform\winnt_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-28 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-28 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-28 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-28 10760]
R2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-28 418816]
R2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-28 49664]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\common files\realtime soft\ultramonmirrordrv\x32\UltraMonUtility.sys [2006-9-24 11776]
R2 WTService;WTService;c:\windows\system32\atwtusb.exe [2008-12-25 360096]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [2006-9-24 3584]
S2 gupdate1c99673203bdaae;Google Update Service (gupdate1c99673203bdaae);c:\program files\google\update\GoogleUpdate.exe [2009-2-24

133104]
S3 SPC500NC;SPC 500NC Laptop Camera;c:\windows\system32\drivers\SPC610NC.SYS [2008-8-29 409728]

=============== Created Last 30 ================

2009-05-01 19:45 <DIR> --d----- c:\docume~1\owner\applic~1\QuickScan
2009-04-19 22:10 664 a------- c:\windows\system32\d3d9caps.dat
2009-04-15 14:02 56 ---shr-- c:\windows\system32\6BAF6200E0.sys
2009-04-15 14:01 2,150 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-04-11 20:40 116,736 a------- c:\windows\system32\drivers\mcdbus.sys
2009-04-11 20:40 <DIR> --d----- c:\program files\MagicDisc
2009-04-10 19:52 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-04-09 14:42 <DIR> --d----- c:\program files\Fog Creek Software
2009-04-08 20:41 <DIR> --d----- c:\program files\Free Fire Screensaver
2009-04-08 20:41 <DIR> --d----- c:\docume~1\owner\applic~1\Laconic Software
2009-04-08 20:39 197,120 a------- c:\windows\system32\System47.scr
2009-04-08 20:39 <DIR> --d----- c:\windows\system32\System47 dir
2009-04-08 13:06 <DIR> --d----- c:\program files\Fox
2009-04-08 13:05 21,840 a------t c:\windows\system32\SIntfNT.dll
2009-04-08 13:05 17,212 a------t c:\windows\system32\SIntf32.dll
2009-04-08 13:05 12,067 a------t c:\windows\system32\SIntf16.dll

==================== Find3M ====================

2009-04-19 22:10 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-03-17 12:50 157,422 a------- c:\windows\hpoins29.dat
2009-03-07 02:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-04 11:15 22,328 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-03-04 11:15 22,328 a------- c:\docume~1\owner\applic~1\PnkBstrK.sys
2009-03-04 11:14 107,832 a------- c:\windows\system32\PnkBstrB.exe
2009-03-04 11:14 2,246,144 a------- c:\windows\system32\pbsvc.exe
2009-03-04 11:14 66,872 a------- c:\windows\system32\PnkBstrA.exe
2009-03-03 12:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-23 10:55 2,560 a------- c:\windows\_MSRSTRT.EXE
2009-02-21 06:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-10 00:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-10 00:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-10 00:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-10 00:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 23:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 23:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 23:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 22:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 22:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-04 17:57 11,702,272 a------- c:\windows\system32\atioglxx.dll
2009-02-04 17:03 290,816 a------- c:\windows\system32\atiok3x2.dll
2009-02-04 16:56 442,368 a------- c:\windows\system32\ATIDEMGX.dll
2009-02-04 16:55 324,096 a------- c:\windows\system32\ati2dvag.dll
2009-02-04 16:44 196,608 a------- c:\windows\system32\atipdlxx.dll
2009-02-04 16:44 155,648 a------- c:\windows\system32\Oemdspif.dll
2009-02-04 16:43 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2009-02-04 16:43 43,520 a------- c:\windows\system32\ati2edxx.dll
2009-02-04 16:43 155,648 a------- c:\windows\system32\ati2evxx.dll
2009-02-04 16:41 602,112 a------- c:\windows\system32\ati2evxx.exe
2009-02-04 16:40 53,248 a------- c:\windows\system32\ATIDDC.DLL
2009-02-04 16:30 3,884,768 a------- c:\windows\system32\ati3duag.dll
2009-02-04 16:14 2,645,504 a------- c:\windows\system32\ativvaxx.dll
2009-02-04 15:58 49,664 a------- c:\windows\system32\amdpcom32.dll
2009-02-04 15:54 471,040 a------- c:\windows\system32\atikvmag.dll
2009-02-04 15:53 122,880 a------- c:\windows\system32\atiadlxx.dll
2009-02-04 15:52 17,408 a------- c:\windows\system32\atitvo32.dll
2009-02-04 15:46 626,688 a------- c:\windows\system32\ati2cqag.dll
2009-02-04 15:44 307,200 a------- c:\windows\system32\atiiiexx.dll
2009-02-04 14:43 45,056 a------- c:\windows\system32\aticalrt.dll
2009-02-04 14:42 45,056 a------- c:\windows\system32\aticalcl.dll
2009-02-04 14:40 3,244,032 a------- c:\windows\system32\aticaldd.dll
2009-02-04 07:59 56,832 a------- c:\windows\system32\secur32.dll
2009-02-03 20:05 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-10-01 17:05 32,768 a--sh--- c:\windows\system32\config\systemprofile\local

settings\history\history.ie5\mshist012008100120081002\index.dat

============= FINISH: 20:15:45.76 ===============


Again, thank you for your time.

Attached Files


Edited by ShenanigansOKeefe, 01 May 2009 - 03:34 AM.


BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:45 AM

Posted 14 May 2009 - 11:14 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DSSlog back here :thumbup2:
Posted Image

#3 ShenanigansOKeefe

ShenanigansOKeefe
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:45 PM

Posted 17 May 2009 - 07:53 PM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh DSSlog back here :thumbup2:


Thanks Baabiouz, but the problem has been resolved. I ended up just formatting the drive and Installing Windows 7... Works like a charm now!

#4 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:45 AM

Posted 18 May 2009 - 07:55 AM

Ok. Thanks :thumbup2:
Posted Image

#5 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:45 AM

Posted 26 May 2009 - 10:32 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users