Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic 13 infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Bizub4

Bizub4

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:25 AM

Posted 07 July 2009 - 02:03 PM

Hey, first off I am having trouble with a Trojan Horse. I have AVG Anti-virus and the scans are saying I have Trojan Horse Generic 13.BSOI and .ATPH. I also have the fake pop-ups in the system task bar and a "System Security" popup scan that trys to run when I start up the computer. I am also getting Security Center Alerts asking about blocking suspicious software with just "enable protection" selectable and "Keep Blocking" and "unblock" grayed out. I can not connect to the internet from that computer so I can't get a log up, but I will when I can.

Now I got on the infected computer and can get the DDS file, here it is:
Any help will be greatfully enjoyed!


DDS (Ver_09-06-26.01) - NTFSx86
Run by wwb at 14:45:31.29 on Tue 07/07/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1015 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSsystem32svchost -k DcomLaunch
svchost.exe
C:WINDOWSSystem32svchost.exe -k netsvcs
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:PROGRA~1AVGAVG8avgwdsvc.exe
C:Program FilesCisco SystemsVPN Clientcvpnd.exe
C:Program FilesJavajre6binjqs.exe
C:Program FilesMcAfeeCommon FrameworkFrameworkService.exe
C:Program FilesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
C:PROGRA~1AVGAVG8avgrsx.exe
C:PROGRA~1AVGAVG8avgnsx.exe
svchost.exe
C:WINDOWSsystem32wuauclt.exe
C:WINDOWSTEMPVRT3.tmp
svchost.exe
svchost.exe
svchost.exe
C:WINDOWSsystem32Ati2evxx.exe
C:WINDOWSExplorer.EXE
C:Documents and SettingswwbApplication Datasdra64.exe
C:Program FilesInternet ExplorerIexplore.exe
C:DOCUME~1wwbLOCALS~1Tempb.exe
C:WINDOWSmsb.exe
C:WINDOWSsystem32wscsvc32.exe
C:Program FilesAdobeAcrobat 7.0DistillrAcrotray.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesMcAfeeCommon FrameworkUdaterUI.exe
C:Program FilesAdobeAcrobat 7.0DistillrAcroDist.exe
C:Program FilesMcAfeeCommon FrameworkMcTray.exe
C:Program FilesActivIdentityActivClientaccrdsub.exe
C:Program FilesJavajre6binjusched.exe
C:PROGRA~1AVGAVG8avgtray.exe
C:windowsld12.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesGoogleGoogleToolbarNotifierGoogleToolbarNotifier.exe
C:Program FilesThe Weather Channel FWDesktopDesktopWeather.exe
C:Program FilesElectronic ArtsEADMCore.exe
C:WINDOWSTEMPjlp0nqtp.exe
C:WINDOWSTEMPjlp0nqtp.exe
C:Program FilesActivIdentityActivClientacevents.exe
svchost.exe
C:Program FilesActivIdentityActivClientacsagent.exe
C:WINDOWSTEMPjlp0nqtp.exe
C:WINDOWSTEMPjlp0nqtp.exe
C:WINDOWSTEMPjlp0nqtp.exe
C:WINDOWSTEMPjlp0nqtp.exe
C:Program FilesWinZipWZQKPICK.EXE
C:Program FilesInternet ExplorerIexplore.exe
svchost.exe
C:WINDOWSsystem32igfxsrvc.exe
C:Program FilesInternet Exploreriexplore.exe
svchost.exe
C:Program FilesInternet Exploreriexplore.exe
svchost.exe
svchost.exe
C:Program FilesAdobeAcrobat 7.0AcrobatAcrobat.exe
svchost.exe
C:WINDOWSTEMPVRT3.tmp
svchost.exe
C:Documents and SettingswwbDesktopdds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://hamptonroads.com/
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:program filesavgavg8toolbarIEToolbar.dll
mWinlogon: Userinit=c:windowssystem32userinit.exe,c:documents and settingswwbapplication datasdra64.exe,
BHO: c:windowssystem32grffr83hn.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:windowssystem32grffr83hn.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll
TB: The Weather Channel Toolbar: {2e5e800e-6ac0-411e-940a-369530a35e43} - c:windowssystem32TwcToolbarIe7.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:program filesavgavg8toolbarIEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:program filesgooglegoogle toolbarGoogleToolbar.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll
uRun: [ctfmon.exe] c:windowssystem32ctfmon.exe
uRun: [swg] c:program filesgooglegoogletoolbarnotifierGoogleToolbarNotifier.exe
uRun: [DW6] "c:program filesthe weather channel fwdesktopDesktopWeather.exe"
uRun: [EA Core] "c:program fileselectronic artseadmCore.exe" -silent
uRun: [Cognac] c:docume~1wwblocals~1tempb.exe
uRun: [<NO NAME>] c:windowstempjlp0nqtp.exe
uRun: [hsf7husjnfg98gi498aejhiugjkdg4] c:windowstempjlp0nqtp.exe
uRun: [Windows System Recover!] c:docume~1wwblocals~1tempsystem.exe
mRun: [SoundMAXPnP] c:program filesanalog devicescoresmax4pnp.exe
mRun: [Acrobat Assistant 7.0] "c:program filesadobeacrobat 7.0distillrAcrotray.exe"
mRun: [<NO NAME>]
mRun: [McAfeeUpdaterUI] "c:program filesmcafeecommon frameworkUdaterUI.exe" /StartedFromRunKey
mRun: [igfxtray] c:windowssystem32igfxtray.exe
mRun: [igfxhkcmd] c:windowssystem32hkcmd.exe
mRun: [igfxpers] c:windowssystem32igfxpers.exe
mRun: [accrdsub] "c:program filesactividentityactivclientaccrdsub.exe"
mRun: [SunJavaUpdateSched] "c:program filesjavajre6binjusched.exe"
mRun: [AVG8_TRAY] c:progra~1avgavg8avgtray.exe
mRun: [19983124] c:documents and settingsall usersapplication data1998312419983124.exe
mRun: [sysldtray] c:windowsld12.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupactivc~1.lnk - c:program filesactividentityactivclientacsagent.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupadobea~1.lnk - c:windowsinstaller{ac76ba86-1033-0000-7760-100000000002}SC_Acrobat.exe
StartupFolder: c:docume~1alluse~1startm~1programsstartupiwsuse~1.lnk - c:program filesinfoworkspaceLaunchInstall.bat
StartupFolder: c:docume~1alluse~1startm~1programsstartupvpncli~1.lnk - c:windowsinstaller{176130bc-99a1-41fe-a78b-56045e33ad70}Icon3E5562ED7.ico
StartupFolder: c:docume~1alluse~1startm~1programsstartupwinzip~1.lnk - c:program fileswinzipWZQKPICK.EXE
uPolicies-explorer: NoFolderOptions = 1 (0x1)
IE: Convert link target to Adobe PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:program filesadobeacrobat 7.0acrobatAcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:progra~1micros~2office11EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:program filespokerstarsPokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%Network Diagnosticxpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:program filesmessengermsmsgs.exe
IE: {2E5E800E-6AC0-411E-940A-369530A35E43} - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:progra~1micros~2office11REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1230725364438
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232034748343
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:program filesgooglegoogle toolbarcomponentfastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:program filesavgavg8avgpp.dll
Notify: ackpbsc - c:windowssystem32ackpbsc.dll
Notify: acunlock - c:program filesactividentityactivclientacunlock.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:windowssystem32WPDShServiceObj.dll
STS: c:windowssystem32grffr83hn.dll: {d76ab2a1-00f3-42bd-f434-00bbc39c8953} - c:windowssystem32grffr83hn.dll
LSA: Authentication Packages = msv1_0 nwprovau

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:windowssystem32driversavgldx86.sys [2009-2-28 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:windowssystem32driversavgmfx86.sys [2009-2-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:windowssystem32driversavgtdix.sys [2009-2-28 108552]
R2 avg8wd;avg8wd;c:progra~1avgavg8avgwdsvc.exe [2009-2-28 298776]
R2 McAfeeFramework;McAfeeFramework;c:program filesmcafeecommon frameworkFrameworkService.exe [2007-1-25 103744]
R3 GTIPCI21;GTIPCI21;c:windowssystem32driversgtipci21.sys [2009-2-18 88192]
S1 drvdrv;drvdrv;??c:program filesdrvdrv.sys --> c:program filesdrvdrv.sys [?]
S1 mferkdk;VSCore mferkdk;??c:program filesmcafeevirusscan enterprisemferkdk.sys --> c:program filesmcafeevirusscan enterprisemferkdk.sys [?]
S2 acachsrv;acachsrv;c:windowstempVRT3.tmp [2009-7-7 12800]
S2 acautoup;acautoup;c:program filesactividentityactivclientacautoup.exe [2006-9-28 46592]
S2 accoca;accoca;c:program filesactividentityactivclientaccoca.exe [2006-9-28 149504]
S2 drv;drv;c:windowssystem32svchost.exe -k drv [2004-8-12 34304]
S3 actccid;ActivCard USB Reader V2;c:windowssystem32driversactccid.sys [2002-8-2 47660]
S3 cmeu0wdm;CardMan 2020;c:windowssystem32driverscmeu0wdm.sys [2005-5-23 43737]
S3 OMNUSB;Omnikey AG CardMan 2020 USB Smart Card Reader;c:windowssystem32driverssccmusbm.sys [2008-12-31 23936]
S3 SCR3XX2K;SCR3xx USB SmartCardReader;c:windowssystem32driversSCR3XX2K.sys [2007-10-17 56448]
S3 vsdatant;vsdatant;c:windowssystem32vsdatant.sys [2005-1-26 280344]
S4 hClient;hClient;c:program filescitadelherculesclienthercclient.exe --> c:program filescitadelherculesclientHercClient.exe [?]
S4 hValidator;hValidator;c:program filescitadelherculesclienthercvalidator.exe --> c:program filescitadelherculesclientHercValidator.exe [?]

=============== Created Last 30 ================

2009-07-07 14:28 409,088 a------- c:windowssystem32cmd.execf
2009-07-07 12:20 0 a------- c:windowssystem328D.tmp
2009-07-07 12:14 6,144 a--sh--- c:windowssystem32Thumbs.db
2009-07-07 12:03 <DIR> --d----- c:windowspss
2009-07-07 11:42 0 a------- c:windowssystem327D.tmp
2009-07-07 11:38 0 a------- c:windowssystem3270.tmp
2009-07-07 11:37 0 a------- c:windowssystem326E.tmp
2009-07-07 11:09 40,960 a------- c:windowsld12.exe
2009-07-04 21:42 0 a------- c:windowssystem32256.tmp
2009-07-04 21:35 0 a------- c:windowssystem32254.tmp
2009-07-04 21:31 0 a------- c:windowssystem32253.tmp
2009-07-04 21:15 1 a------- c:windows934fdfg34fgjf23
2009-07-04 21:15 2 a------- c:windows0101120101464849.dat
2009-07-04 21:15 2 a------- c:windows010112010146118114.dat
2009-07-04 17:12 0 a------- c:windowssystem3240.tmp
2009-07-04 17:11 0 a------- c:windowssystem323C.tmp
2009-07-04 16:57 740,864 a------- c:windowssystem32wscsvc32.exe
2009-07-04 16:57 257,536 a------- c:windowssystem32resdll.dll
2009-07-04 16:57 142,848 a------- c:windowsmsb.exe
2009-07-04 16:56 0 a------- c:windowssystem3223D.tmp
2009-07-04 16:56 40 a------- c:windowssystem32239.tmp
2009-07-04 16:56 209,412 a------- c:windowssystem32msxml71.dll
2009-07-04 16:56 15,000 a------- c:windowssystem32grffr83hn.dll
2009-07-04 16:56 361,344 a------- c:windowssystem32driversTCPIP.SYS.ORIGINAL
2009-07-04 16:56 142,848 a------- c:windowsmsa.exe
2009-07-04 16:56 <DIR> --dsh--- c:docume~1wwbapplic~1lowsec
2009-07-04 16:55 <DIR> --d----- c:docume~1alluse~1applic~119983124
2009-07-03 19:18 <DIR> --dsh--- c:documents and settingswwbIECompatCache
2009-07-02 22:04 3,247 a------- c:windowssystem32wbemOutlook_01c9fb82a0516e42.mof
2009-07-01 19:21 <DIR> --d----- c:program filesPokerStars
2009-07-01 12:29 <DIR> --d----- c:windowsie8updates
2009-06-30 10:16 <DIR> --dsh--- c:documents and settingswwbPrivacIE
2009-06-30 10:14 <DIR> --d----- C:ProgramData
2009-06-30 10:14 <DIR> --d----- c:docume~1alluse~1applic~1Electronic Arts
2009-06-30 10:12 447,752 a----r-- c:windowssystem32vp6vfw.dll
2009-06-30 10:12 <DIR> --d----- c:program filesMicrosoft WSE
2009-06-30 09:15 246,272 -c------ c:windowssystem32dllcacheieproxy.dll
2009-06-30 09:15 12,800 -c------ c:windowssystem32dllcachexpshims.dll
2009-06-29 10:38 <DIR> --dsh--- c:documents and settingswwbIETldCache
2009-06-29 10:26 <DIR> -cd-h--- c:windowsie8
2009-06-26 19:07 <DIR> --d----- c:docume~1alluse~1applic~1AVG Security Toolbar

==================== Find3M ====================

2009-07-07 11:37 32,768 a------- c:windowssystem32locator.exe
2009-07-07 11:28 32,768 a------- c:windowssystem32msdtc.exe
2009-06-26 19:06 11,952 a------- c:windowssystem32avgrsstx.dll
2009-06-26 19:06 327,688 a------- c:windowssystem32driversavgldx86.sys
2009-05-21 21:13 108,552 a------- c:windowssystem32driversavgtdix.sys
2009-05-13 01:15 915,456 a------- c:windowssystem32wininet.dll
2009-05-07 11:32 345,600 a------- c:windowssystem32localspl.dll
2009-04-17 08:26 1,847,168 a------- c:windowssystem32win32k.sys
2009-04-15 10:51 585,216 a------- c:windowssystem32rpcrt4.dll
2009-02-09 08:10 350,720 a----r-- c:docume~1wwbapplic~1sdra64.exe

============= FINISH: 14:48:45.31 ===============

Merged posts. ~ OB

Edited by Orange Blossom, 08 July 2009 - 10:36 PM.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:25 AM

Posted 16 July 2009 - 06:06 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:25 AM

Posted 22 July 2009 - 09:23 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users