Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR.Vapsup.uvj Trojan Found [Split topic]


  • Please log in to reply
2 replies to this topic

#1 bgonzales999

bgonzales999

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 July 2009 - 11:07 PM

I am having the exact same problem except that I am running avira free edition. Also once it picked up C:\Program Files\Google\Google Toolbar\Component\
GoogleToolbarUser_FCDD4C5F33EE805C.exe as the same virus. I scanned with spybot and nothing came up. Finally, when you open the google toolbar or component folder the messages popup and also when I close google chrome.

Split this post and the following 2 from this topic: http://www.bleepingcomputer.com/forums/t/239317/trvapsupuvj-trojan-found/ ~ OB

Edited by Orange Blossom, 07 July 2009 - 10:58 PM.


BC AdBot (Login to Remove)

 


#2 bgonzales999

bgonzales999
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 06 July 2009 - 11:42 PM

This is the message.

Posted Image

Also I just scanned with smitfraudfix but I'm not sure if it picked up anything.
SmitFraudFix v2.423

Scan done at 22:49:30.52, Mon 07/06/2009
Run from C:\Users\Ben\Desktop\SmitfraudFix
OS: Microsoft Windows [Version 6.0.6001] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

 Process

C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\winsersec.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\AERTSrv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\dvd43\DVD43_Tray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\ScanPanel\ScnPanel.exe
C:\Schedule\Apps\Apps\ScheduleChecker.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\taskeng.exe
C:\Users\Ben\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Users\Ben\Desktop\SmitfraudFix\Policies.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\DllHost.exe

 hosts


 C:\


 C:\Windows


 C:\Windows\system


 C:\Windows\Web


 C:\Windows\system32


 C:\Windows\system32\LogFiles


 C:\Users\Ben


 C:\Users\Ben\AppData\Local\Temp


 C:\Users\Ben\Application Data


 Start Menu


 C:\Users\Ben\FAVORI~1


 Desktop


 C:\Program Files 


 Corrupted keys


 Desktop Components
 
 

 o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



 Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


 VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~2\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


 Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\Windows\\system32\\userinit.exe,"

 RK

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]




 DNS

Description: Compact Wireless-G USB Adapter
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2F331FBC-A5CB-4B99-B31B-FF44CA9575E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{40CE5F9C-FAA5-4E0C-8D89-0AC30342F9D3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{43C99CD0-55DE-4F86-BE4E-0D97BA7D9DA8}: DhcpNameServer=143.166.95.37 143.166.6.24
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7DE770CD-5E9E-4D1D-89A8-2BE553339C24}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2F331FBC-A5CB-4B99-B31B-FF44CA9575E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{40CE5F9C-FAA5-4E0C-8D89-0AC30342F9D3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{43C99CD0-55DE-4F86-BE4E-0D97BA7D9DA8}: DhcpNameServer=143.166.95.37 143.166.6.24
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7DE770CD-5E9E-4D1D-89A8-2BE553339C24}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2F331FBC-A5CB-4B99-B31B-FF44CA9575E6}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{40CE5F9C-FAA5-4E0C-8D89-0AC30342F9D3}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{43C99CD0-55DE-4F86-BE4E-0D97BA7D9DA8}: DhcpNameServer=143.166.95.37 143.166.6.24
HKLM\SYSTEM\CS2\Services\Tcpip\..\{7DE770CD-5E9E-4D1D-89A8-2BE553339C24}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


 Scanning for wininet.dll infection


 End

used code boxes for ease of reading

Edited by bgonzales999, 06 July 2009 - 11:54 PM.


#3 bgonzales999

bgonzales999
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 07 July 2009 - 03:18 PM

Update also solved the problem for me. Thanks very much.

Edited by Orange Blossom, 07 July 2009 - 10:57 PM.
Delete unnecessary quote. ~ OB





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users