Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


btcar popup, trojan.agent.apmc, trojan.script.14303, trojan.fakeav.kue

  • This topic is locked This topic is locked
2 replies to this topic

#1 yeahwateva705


  • Members
  • 1 posts
  • Local time:08:52 PM

Posted 05 May 2010 - 04:41 PM

btcar popup, trojan.agent.apmc, trojan.script.14303, trojan.fakeav.kue

My antivirus program, BitDefender Antivirus 2010, has blocked the above trojans. The main trojan that keeps popping up however is: Trojan.Agent.AMPC. It is located in my temp file as 94.tmp. I have deleted my temp files, some of them wouldn't delete so I downloaded and ran CCleaner.

After successfully deleting files that windows alone wouldn't allow me to do, I presumed my problems were over. (haven't had the antivirus program pop-up in 12 hrs now)

I opened up google and typed in the topic I wanted and clicked on the link I wanted & I was redirected to btcar.com. I closed it, clicked on another link and I was directed to virtualway.info among other annoying sites. So I blocked these sites in IE, and proceeded to download & run SpyBot S&D. 4 Issues were found and I repaired them.

I then did a deep system scan with BitDefender and it said no viruses or spyware were found:
BitDefender Log File

Product: BitDefender Antivirus 2010
Version: BitDefender Antivirus Scanner
Scanning task: Deep System Scan
Log date: 5/6/2010 2:36:47 AM
Log path: C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\deep_scan\1273077407_1_00.xml

Scan paths:
Path 0000: C:\

Scan Level:
Scan for viruses: Yes
Scan for adware: Yes
Scan for spyware: Yes
Scan for applications: Yes
Scan for dialers: Yes
Scan for rootkits: Yes
Scan for keyloggers: Yes

Virus Scanning Options:
Scan registry keys: Yes
Scan cookies: Yes
Scan boot sectors: Yes
Scan memory processes: Yes
Scan archives: Yes
Scan runtime packers: Yes
Scan e-mails: Yes
Scan all files: Yes
Heuristic Scan: Yes
Scanned extensions: not configured
Excluded extensions: not configured

Target Processing:
Default first action for infected objects: Disinfect
Default second action for infected objects: None
Default first action for suspect objects : None
Default second action for suspicious objects: None
Default action for hidden objects: None
Default first action for encrypted infected objects: Disinfect
Default second action for encrypted infected objects: None
Default first action for encrypted suspicious objects: None
Default second action for encrypted suspicious objects: None
Default action for password-protected objects: Log only

Scan Engines Summary
Virus signatures: 5745705
Archive plugins: 43
E-mail plugins: 6
Scan plugins: 13
System plugins: 5
Unpack plugins: 10

Scanned items: 139771
Infected items: 0 (no infected items have been detected)
Suspect items: 0 (no suspected items have been detected)
Hidden items: 0 (no hidden items have been detected during this scan)
Resolved items: 0 (no threats have been detected during this scan)
Unresolved items: 0 (no issues remained unresolved)

Scan time: 01:26:12
Files per second: 27
Skipped items: 17223
Password-protected items: 7
Over-compressed items: 0
Individual viruses found: 0
Scanned folders: 5234
Scanned boot sectors: 4
Scanned archives: 925
Input-output errors: 32
Scanned processes: 36
Infected processes: 0
Scanned registry keys: 0
Infected registry keys: 0
Scanned cookies: 0
Infected cookies: 0

Not scanned objects:Object Path Reason: Final Status
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusOverride.zip=>sbRecovery.reg Password-protected Not scanned (file was password-protected)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass.zip=>sbRecovery.reg Password-protected Not scanned (file was password-protected)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass1.zip=>sbRecovery.reg Password-protected Not scanned (file was password-protected)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn.zip=>2086076851 Password-protected Not scanned (file was password-protected)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn1.zip=>sbRecovery.reg Password-protected Not scanned (file was password-protected)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn2.zip=>sbRecovery.reg Password-protected Not scanned (file was password-protected)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondesdn3.zip=>sbRecovery.reg Password-protected Not scanned (file was password-protected)


So I had a go at googling again and the redirection to that btcar website is still happening. I'm connected to a wireless network, and it's going MUCH slower than normal with the dongle light constantly on (not just flashing),when I have no programs running or downloads happening. It also feels like this computer is getting slower and slower, it was only reformatted a few days ago. So I'm very frustrated. HELP! crazy.gif


DDS (Ver_10-03-17.01) - NTFSx86
Run by Matt at 5:41:25.76 on Thu 05/06/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.123 [GMT 10:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2010\vsserv.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\BitDefender\BitDefender 2010\bdagent.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\BitDefender\BitDefender 2010\seccenter.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Matt\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2010\IEToolbar.dll
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [F5D9050] c:\program files\belkin\f5d9050\Belkinwcui.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Smapp] c:\program files\analog devices\soundmax\Smtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2010\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2010\bdagent.exe"
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_93C8148BBB233F43.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Notify: 7c5701b3899 - c:\windows\system32\glmf3232.dll
AppInit_DLLs: c:\windows\system32\glmf3232.dll
Hosts: www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2010-2-3 153448]
R3 StreamSurge;StreamSurge Driver (miniport);c:\windows\system32\drivers\ss.sys [2010-5-3 19968]
S?4 BKNDIS5;BKNDIS5 NDIS Protocol Driver;c:\progra~1\belkin\f5d9050\BKNDIS5.SYS [2010-5-3 15872]

=============== Created Last 30 ================

2010-05-05 19:31:17 20 ----a-w- c:\documents and settings\matt\defogger_reenable
2010-05-05 19:04:57 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-05 18:53:28 0 d-----w- c:\program files\Trend Micro
2010-05-05 16:17:18 817 ----a-w- c:\windows\system32\2086076851
2010-05-05 15:01:28 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-05-05 15:01:28 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-05-05 13:18:50 1152 ----a-w- c:\windows\system32\windrv.sys
2010-05-05 12:25:34 0 d-----w- c:\program files\CCleaner
2010-05-05 04:13:20 35 ----a-w- c:\windows\system32\2cd706b4
2010-05-05 04:13:20 1900 ----a-w- c:\windows\GnuHashes.ini
2010-05-05 04:06:03 1103 --sha-w- c:\windows\system32\738677219
2010-05-05 04:04:51 0 d-sh--w- c:\windows\system32\SysWoW32
2010-05-05 04:04:48 113 ----a-w- c:\windows\system32\sl1306968945
2010-05-05 04:04:28 203776 --sh--w- c:\windows\system32\unrar.exe
2010-05-05 04:04:28 0 d-----w- c:\windows\system32\1315268308
2010-05-05 04:03:59 1081856 --sha-w- c:\windows\system32\3.tmp
2010-05-05 02:44:11 215920 ----a-w- c:\windows\system32\muweb.dll
2010-05-05 02:44:11 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-05-05 02:44:10 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-05-04 19:46:33 183296 ------w- c:\windows\system32\glmf3232.dll
2010-05-04 11:39:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2010-05-04 11:38:28 0 d-----w- c:\program files\Messenger Plus! Live
2010-05-04 10:33:23 0 d-----w- c:\program files\Windows Journal Viewer
2010-05-04 10:11:29 0 d-----w- c:\documents and settings\matt\Tracing
2010-05-04 09:43:21 0 d-----w- c:\program files\Microsoft
2010-05-04 09:42:54 0 d-----w- c:\program files\Windows Live SkyDrive
2010-05-04 09:31:53 0 d-----w- c:\program files\common files\Windows Live
2010-05-03 10:07:58 0 d-----w- c:\program files\BitTorrent
2010-05-03 03:33:05 850 ----a-w- c:\documents and settings\matt\Application DataProductTweaks.xml
2010-05-03 03:33:04 385 ----a-w- c:\documents and settings\matt\Application Datauser_gensett.xml
2010-05-03 03:33:03 376 ----a-w- c:\documents and settings\matt\Application Dataprivacy.xml
2010-05-03 02:49:50 0 d-----w- c:\program files\common files\ODBC
2010-05-03 02:49:45 0 d-----w- c:\program files\common files\SpeechEngines
2010-05-03 02:49:06 0 d-----r- c:\documents and settings\all users\Documents
2010-05-02 20:50:17 0 d-----w- c:\program files\directx
2010-05-02 20:47:47 0 d-----w- c:\program files\GameSpy Arcade
2010-05-02 20:24:49 0 d-----w- c:\program files\Aspyr
2010-05-02 20:12:32 0 d-----w- c:\program files\BitDefender
2010-05-02 20:12:32 0 d-----w- c:\docume~1\matt\applic~1\BitDefender
2010-05-02 20:12:32 0 d-----w- c:\docume~1\alluse~1\applic~1\BitDefender
2010-05-02 20:11:15 0 d-----w- c:\program files\common files\BitDefender
2010-05-02 20:07:34 0 d-----w- c:\docume~1\matt\applic~1\FrostWire
2010-05-02 20:04:48 0 d-----w- c:\program files\FrostWire
2010-05-02 20:00:54 0 d-----w- c:\docume~1\matt\applic~1\DAEMON Tools Pro
2010-05-02 20:00:54 0 d-----w- c:\docume~1\alluse~1\applic~1\DAEMON Tools Pro
2010-05-02 19:00:34 0 d-----w- c:\program files\iPod
2010-05-02 19:00:19 0 d-----w- c:\program files\iTunes
2010-05-02 19:00:19 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-02 18:52:01 0 d-----w- c:\program files\Bonjour
2010-05-02 18:44:38 0 d-----w- c:\docume~1\matt\applic~1\BitTorrent
2010-05-02 18:44:29 0 d-----w- c:\program files\DNA
2010-05-02 18:44:29 0 d-----w- c:\docume~1\matt\applic~1\DNA
2010-05-02 18:23:43 0 d-----w- c:\program files\Analog Devices
2010-05-02 18:22:18 0 d-----w- c:\program files\Lenovo
2010-05-02 17:26:46 0 d-----w- c:\program files\Belkin
2010-05-02 17:10:14 0 d-sh--w- c:\documents and settings\all users\DRM
2010-05-02 17:09:43 0 d--h--w- c:\program files\WindowsUpdate
2010-05-02 17:08:49 0 d-----w- c:\program files\common files\MSSoap
2010-05-02 17:06:33 0 d-----w- c:\program files\Online Services
2010-05-02 17:06:25 0 d-----w- c:\program files\Messenger
2010-05-02 17:06:20 0 d-----w- c:\program files\MSN Gaming Zone
2010-05-02 17:05:29 0 d-----w- c:\program files\Windows NT

==================== Find3M ====================

2010-05-05 19:07:38 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-02 21:30:28 1632 ----a-w- c:\windows\system32\d3d8caps.dat
2010-05-02 20:01:30 697328 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-05-02 17:26:53 20747 ----a-w- c:\windows\system32\drivers\AegisP.sys
2010-05-02 17:06:57 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2010-04-08 03:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 03:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-16 23:10:28 2189952 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll

============= FINISH: 5:44:55.04 ===============

Attached Files

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:52 AM

Posted 07 May 2010 - 07:05 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since
resolved your issues I would appreciate if you would let me no so I can close this topic.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please download Malwarebytes' Anti-Malware from Here

Note: If you already have Malwarebytes' Anti-Malware, just update then run it.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan (the scan may take some time to finish, so please be patient).
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply .
Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Then please post back here with the following:
  • log.txt
  • info.txt
  • mbam log



#3 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:11:52 AM

Posted 12 May 2010 - 08:22 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users