Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with trojan horse.


  • This topic is locked This topic is locked
2 replies to this topic

#1 boldoo

boldoo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:00 PM

Posted 29 December 2009 - 01:09 PM

Hi,

It is Symantec Antivirus Notification that pops up every 5 seconds. It says:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Trojan Horse
File: C:\WINDOWS\TEMP\vqes.tmp\svchost.exe
Location: Quarantine
Computer: BOLDOO-PERSONAL
User: SYSTEM
Action taken: Quarantine succeeded : Access denied
Date found: Wednesday, December 30, 2009 1:59:30 AM

please help me to get rid of these notifications. Now it says total notifications:10 and only file locations are different. the rest is the same.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Boldoo at 1:36:24.95 on Wed 12/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.478.179 [GMT 8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
svchost.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
svchost.exe "C:\WINDOWS\system32\actmoviea.exe"
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Boldoo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Boldoo\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.mywebsearch.com/mywebsearch/default.jhtml?ptnrS=GRfox000&ptb=vEfk1q5LwfcZd8mMnVB8ig
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Babylon: {965b54b0-71e0-4611-8de7-f73fa0b20e26} - c:\program files\babylon\babylon toolbar\BabylonIEToolBar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Google Update] "c:\documents and settings\boldoo\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
dRun: [imPlayok] c:\documents and settings\localservice\imPlayok.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=GRfox000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Translate.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: {3A4D6EDB-033A-4207-A8FA-077C91E19B45} = 124.158.127.11 124.158.127.13
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\boldoo\applic~1\mozilla\firefox\profiles\1uzstosk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2685&invocationType=tb50ffwinampie7&query=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=GRfox000&fl=0&ptb=vEfk1q5LwfcZd8mMnVB8ig&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - component: c:\documents and settings\boldoo\application data\mozilla\firefox\profiles\1uzstosk.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - component: c:\program files\mozilla firefox\extensions\browserhighlighter@ebay.com\components\Shim.dll
FF - plugin: c:\documents and settings\boldoo\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-3 14336]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-8-2 1267024]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2009-12-26 30104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091228.004\naveng.sys [2009-12-29 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091228.004\navex15.sys [2009-12-29 1323568]
S2 SwPrvEventlog;MS Software Shadow Copy Provider SwPrvEventlog;c:\windows\system32\actmoviea.exe srv --> c:\windows\system32\actmoviea.exe srv [?]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2009-12-26 30104]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-8-2 173392]

=============== Created Last 30 ================

2009-12-29 14:52:54 27734 ----a-w- c:\windows\system32\imPlayok.exe
2009-12-28 12:55:11 4816 ----a-w- c:\windows\system32\drivers\aeaudio.sys
2009-12-28 12:55:11 3744 ----a-w- c:\windows\system32\drivers\smsens.sys
2009-12-28 12:55:10 612032 ----a-w- c:\windows\system32\drivers\smwdm.sys
2009-12-28 12:55:10 49152 ----a-w- c:\windows\system32\DSndUp.exe
2009-12-28 12:55:10 45056 ----a-w- c:\windows\system32\CleanUp.exe
2009-12-28 12:04:06 707072 ----a-w- c:\windows\system32\drivers\qhjmt.sys
2009-12-28 12:02:05 197 --s-a-w- c:\windows\system32\2243012992.dat
2009-12-28 08:44:16 0 d-----w- c:\program files\Trend Micro
2009-12-28 03:53:59 0 d-----w- c:\program files\FunWebProducts
2009-12-28 03:53:53 0 d-----w- c:\program files\MyWebSearch
2009-12-27 12:20:03 45056 ---h--w- c:\windows\system32\secupdat.dat
2009-12-27 12:19:41 212992 --sh--w- c:\windows\system32\quickset.exe
2009-12-26 12:57:14 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2009-12-26 12:57:14 30104 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2009-12-26 12:18:33 0 d-----w- c:\docume~1\boldoo\applic~1\AVG8
2009-12-26 08:41:58 221696 ----a-w- c:\windows\system32\sshnas.dll
2009-12-25 13:05:40 0 ----a-w- c:\windows\iPlayer.INI
2009-12-25 13:00:06 0 d-----w- c:\program files\InterActual
2009-12-24 10:06:19 0 d-----w- c:\program files\VideoLAN
2009-12-19 17:47:56 0 d-----w- c:\windows\SxsCaPendDel
2009-12-17 01:08:53 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2009-12-17 01:08:53 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2009-12-17 01:08:52 129520 ------w- c:\windows\system32\pxafs.dll
2009-12-16 03:39:35 0 d-----w- c:\program files\MSXML 6.0
2009-12-15 06:12:03 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2009-12-14 19:49:44 0 d-----w- c:\windows\system32\CatRoot_bak
2009-12-14 19:45:45 2180352 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-14 19:45:45 2136064 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-14 19:45:45 2057728 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-14 19:45:45 2015744 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-14 19:44:25 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2009-12-14 19:42:45 453632 -c----w- c:\windows\system32\dllcache\mrxsmb.sys

==================== Find3M ====================

2009-12-29 04:00:19 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-10-29 05:48:04 662016 ----a-w- c:\windows\system32\wininet.dll
2009-10-26 14:18:10 23348 ----a-w- c:\windows\system32\emptyregdb.dat
2009-10-21 06:00:55 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00:55 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-18 07:38:04 58752 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-17 10:54:29 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-17 10:15:24 19374 ----a-w- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2009-10-17 10:15:24 164352 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-10-17 10:15:22 67584 ----a-w- c:\windows\system32\xanalyze.dll
2009-10-16 05:34:56 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2009-10-13 10:53:29 266752 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:54:17 69632 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:54:17 112128 ----a-w- c:\windows\system32\rastls.dll

============= FINISH: 1:37:50.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:00 AM

Posted 08 January 2010 - 09:47 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :(
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:00 AM

Posted 14 January 2010 - 05:31 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could help. :(

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users