Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Generic.gm And Worm.krepper.c


  • Please log in to reply
4 replies to this topic

#1 DubhCion

DubhCion

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 19 October 2005 - 10:26 AM

AVG Resident shield always shows that there is Worm.Krepper.C and Trojan horse Generic.GM in my computer but when I click heal/delete/Vault it either doesn't work or the warning just appears again straight away. I don't know what to do cause I really dunno anything about computer.... Help? here is the logfile:



Logfile of HijackThis v1.99.1
Scan saved at 16:17:03, on 19/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINPENJR\win32\pphidpad.exe
C:\WINNT\system32\Atiptaxx.exe
C:\WINNT\system32\bcmwltry.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\NotifyPhoneBook.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINNT\system32\svc32.pif
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\palstart.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xanga.com/dubh_cion
F3 - REG:win.ini: run=C:\WINPENJR\Win32\CUSTOM.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [RemoveCpl] RemoveCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [PPHIDPAD] C:\WINPENJR\Win32\pphidpad.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\49.tmp
O4 - HKLM\..\Run: [Microsoft Windows 128bit Subsystem] C:\WINNT\system32\15.tmp
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinProfile] sndcfg16.exe
O4 - HKLM\..\Run: [Sims 2 Crack] C:\Documents and Settings\Judith\My Documents\Sims 2 Crack.exe
O4 - HKLM\..\Run: [WinUpdate] C:\cmon.exe
O4 - HKLM\..\Run: [Kazaa Download Manager 3.0] C:\Documents and Settings\Judith\My Documents\Kazaa Download Manager 3.0.exe
O4 - HKLM\..\Run: [Lord of the Rings The Battle for Middle-earth 1.00 Crack] C:\Documents and Settings\Judith\My Documents\Lord of the Rings The Battle for Middle-earth 1.00 Crack.exe
O4 - HKLM\..\Run: [Ad-aware Pro Crack] C:\Documents and Settings\Judith\My Documents\Ad-aware Pro Crack.exe
O4 - HKLM\..\Run: [Battlefield Vietnam crack] C:\Documents and Settings\Judith\My Documents\Battlefield Vietnam crack.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [System service76] C:\WINNT\etb\pokapoka76.exe
O4 - HKLM\..\Run: [SVC Service] svc32.pif
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKLM\..\RunServices: [SVC Service] svc32.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SVC Service] svc32.pif
O4 - HKCU\..\RunServices: [SVC Service] svc32.pif
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O10 - Unknown file in Winsock LSP: c:\winnt\system32\sonatmor.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\sonatmor.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{754DF896-9378-4376-86EB-172A16D2B43F}: NameServer = 194.46.8.51 194.46.8.2
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Msdebugsrv1 (Msdebugsrv) - Unknown owner - C:\WINNT\dbg32hlp.exe
O23 - Service: Microsoft SSL (ssl) - Unknown owner - C:\WINNT\system32\ssl.exe (file missing)
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINNT\taskcntr.exe (file missing)
O23 - Service: Windows TCP Communication (wtcpcom) - Unknown owner - C:\WINNT\system32\wtcpcom.exe
O23 - Service: Windows UPnP Service (wupnp) - Unknown owner - C:\WINNT\system32\wupnp.exe (file missing)

When I look at that, there are many things I didn't seen before... I don't have Kazaa or Battle of Middle Earth or anything like that. Eep!

BC AdBot (Login to Remove)

 


m

#2 bilko

bilko

  • Members
  • 276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:12 AM

Posted 20 October 2005 - 12:40 PM

Hi DubhCion,
I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.
Posted Image

#3 DubhCion

DubhCion
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:12 AM

Posted 21 October 2005 - 04:01 AM

Thanks a lot :thumbsup:

#4 bilko

bilko

  • Members
  • 276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:12 AM

Posted 21 October 2005 - 05:26 AM

Hello

Download WinSockFix.
If you loose your connection to the net, use this tool to get your connection back.

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Reboot and post a new Hijack This log, and Ewido log.
Posted Image

#5 bilko

bilko

  • Members
  • 276 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:05:12 AM

Posted 21 October 2005 - 06:40 AM

Hello,

Just to keep you informed, something has just come up and I wont be at home until Sunday. When you have posted the Ewido scan, I will take a look and get back to you as soon as possible.

Bilko
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users