Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • This topic is locked This topic is locked
26 replies to this topic

#1 kamotu

kamotu

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 17 January 2007 - 01:54 PM

So, apparently, I have Trojan-Downloader.Win32.Agent.uj. I launched a game and it warned me of it. I scanned my system several times with Spybot search and destroy, Ad-Aware, AVG, and Panda Software, none of them finding anything.

With AVG, came the firewall, and every couple of hours I get a "Unwanted program" warning, of Generic2.JBZ from my windows/system32/dmshc.exe, which after checking, doesn't exist. I've also seen it as Generic2.JOS, and I've seen it come from a system32/{ED3D0E~1.exe, which also does not exist.

No programs track it, so I am basically lost.

Here is the Hijackthis log, Thanks for your time!

---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:44:07 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SiteAdvisor\5020\SAService.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8CF721B2-D47F-4B18-B8D7-8864A020B326}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C1290D-AE5E-4BE2-9700-D938FB004211}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.183
O17 - HKLM\System\CS1\Services\Tcpip\..\{8CF721B2-D47F-4B18-B8D7-8864A020B326}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.183
O17 - HKLM\System\CS2\Services\Tcpip\..\{8CF721B2-D47F-4B18-B8D7-8864A020B326}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.183
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 17 January 2007 - 02:04 PM

Hello kamotu, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O17 - HKLM\System\CCS\Services\Tcpip\..\{8CF721B2-D47F-4B18-B8D7-8864A020B326}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2C1290D-AE5E-4BE2-9700-D938FB004211}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.183
O17 - HKLM\System\CS1\Services\Tcpip\..\{8CF721B2-D47F-4B18-B8D7-8864A020B326}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.183
O17 - HKLM\System\CS2\Services\Tcpip\..\{8CF721B2-D47F-4B18-B8D7-8864A020B326}: NameServer = 85.255.115.19,85.255.112.183
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.19 85.255.112.183


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
Double-click the Network Connections icon
Right-click the Local Area Connection icon and select Properties.
Highlight Internet Protocol (TCP/IP) and click the Properties button.
Be sure Obtain DNS server address automatically is selected.
OK your way out.

Go to Start > Run and type in cmd
Click OK.
This will open a command prompt.
Type or copy and paste the following line in the command window:

ipconfig /flushdns

Hit Enter
Exit the command window

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the Desktop loads save the text that will open (report.txt), and post it in your next reply.

Download F-Secure Blacklight and save it to your Desktop.
Double click on blbeta.exe to start the program.
Accept the user agreement and click Next.
Click Scan. You will then see a list of all the items found.
Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
BlackLight will have created a log on your Desktop named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
Post that log in your next reply.

Please post me back the BlackLight report, report.txt from FixWareOut, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 17 January 2007 - 02:21 PM

Thanks for the extremely fast reply.
Here's the Fixwareout log
------------------

Fixwareout
Last edited 1/14/2006
Post this report in the forums please
...
Prerun check
HKLM run and Winlogon System values
C:\WINDOWS\system32\dmowl.exe will be moved to C:\WINDOWS\temp\dmowl.ren at reboot.
C:\WINDOWS\system32\cszxr.exe will be moved to C:\WINDOWS\temp\cszxr.ren at reboot.
System restarted
...
Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\lwomd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\yqdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "dpid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "pid"
...
Random Runs removed from HKLM
"dmowl.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.

Misc files.

Checking for older varients covered by the Rem3 tool.

Postrun check
HKLM run
Winlogon System value
"system"=""

------------------------
Here's the BlackLight report
------------------------
01/17/07 13:15:28 [Info]: BlackLight Engine 1.0.55 initialized
01/17/07 13:15:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/17/07 13:15:29 [Note]: 7019 4
01/17/07 13:15:29 [Note]: 7005 0
01/17/07 13:15:42 [Note]: 7006 0
01/17/07 13:15:42 [Note]: 7011 1816
01/17/07 13:15:42 [Note]: 7026 0
01/17/07 13:15:42 [Note]: 7026 0
01/17/07 13:15:45 [Note]: FSRAW library version 1.7.1021
01/17/07 13:19:12 [Note]: 7007 0

------------------------
Here's the HiJack This log
------------------------
Logfile of HijackThis v1.99.1
Scan saved at 1:19:35 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\SiteAdvisor\5020\SAService.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\5020\SiteAdv.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\5020\SiteAdv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\5020\SAService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 17 January 2007 - 04:32 PM

Make a list of all the programs installed on your computer:
Open HijackThis
Click the Config... button, then go to the Misc Tools section.
Press Open Uninstall Manager. You'll see a list of programs.
Select Save List... - save it to your Desktop.
The file "uninstall_list.txt" will be created.
Copy and paste the contents of this file to your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 17 January 2007 - 05:19 PM

Hello, thanks for your reply, here's the list
----------------
Ad-Aware SE Personal
Adobe Flash Player 9
Adobe Reader 8
AIM 6.0
Apple Software Update
Athlon 64 Processor Driver
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG 7.5
Battlefield 2142
BitTorrent 5.0.3
Guild Wars
HijackThis 1.99.1
iTunes
MailFrontier Desktop
McAfee SiteAdvisor
Microsoft .NET Framework 1.1
Microsoft Office 2000 Premium
Mozilla Firefox (2.0.0.1)
Panda ActiveScan
QuickTime
RealPlayer
Realtek AC'97 Audio
Spybot - Search & Destroy 1.4
ULi AGP Driver
ULi LAN Driver
VideoLAN VLC media player 0.8.6
Viewpoint Media Player
World of Warcraft
Xfire (remove only)
Yahoo! Toolbar
ZoneAlarm

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 17 January 2007 - 05:32 PM

Hey there,
I see you have Viewpoint installed:
Viewpoint Manager is considered to be foistware rather than malware, since it is installed without your approval but doesn't actually spy or do anything "bad". This will soon change, according to this article, which you may want to read: http://www.clickz.com/news/article.php/3561546
I recommend that you remove the Viewpoint products. If you do decide to get rid of it, please remove all references to Viewpoint from Add/Remove Programs.

You also seem to be using two firewalls: AVG and ZoneAlarm, and this can have negative effects on the performance of your computer. Therefore, please go to Add/Remove Programs and remove either ZoneAlarm or AVG.
Bear in mind that if you remove AVG, you will also lose your antivirus.

You are using peer-to-peer programs.
These are what we call an optional removal. However, anytime you are running any type of peer-to-peer application, you are more prone to infection by malware, and this is probably how you became infected in the first place. The choice to remove them is entirely up to you, but I would strongly recommend that you do.
For more information about infections as a result of p2p programs, take a look here: http://p2p.malwareremoval.com/

Please do an online scan with Kaspersky WebScanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on Next
Select a target to scan; click on My Computer
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text
Post these results in your next reply.
Post me back the Kaspersky report, and let me know- how are things running?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 17 January 2007 - 05:44 PM

Hello, Thanks for the reply, I have uninstalled Viewpoint player, I don't recall using it more than once or twice. That's some useful information about it.

I read about two firewall interfering with each other and I have turned off the Firewall aspect of AVG earlier today. I'm keeping it for the anti-virus, but I prefer the ZoneAlarm firewall more.

I'm pretty sure you are referring to BitTorrent as the P2P. I have not downloaded anything using BitTorrent in at least 2-3 months, so I doubt my infection came from there, but I am not completely sure.

My computer is currently running pretty fine. I have not noticed any changes in the performance of my computer after I realized I had malware. My internet speed fluctuates often, but I have come to realize that as a aspect of having Comcast as an internet provider( I think it's Time Warner now, not 100% sure), since it is not very stable at all. So there are no differences in my performance.

I'm running the Kaspersky scan now, and will post a log as soon as it finishes, but it looks like it will take a while.

Thanks you for your time.

#8 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 17 January 2007 - 07:24 PM

Hello again, I have done as you asked and have obtained a Kaspersky report.

This is the only scanner that I understand the results of that actually found a trojan.

Thanks for your time.
-----------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, January 17, 2007 6:20:42 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/01/2007
Kaspersky Anti-Virus database records: 244678
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
Scan Statistics
Total number of scanned objects 101055
Number of viruses found 4
Number of infected objects 5 / 0
Number of suspicious objects 0
Duration of the scan process 01:39:45

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\u5vg6245.default\Cache\C7C9AAACd01 Infected: Trojan-Downloader.JS.Small.au skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\AvgFwLog.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Grisoft\Avg7Data\AvgFwLog.log.lck Object is locked skipped
C:\Documents and Settings\ed\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-1bde2f45-6c57ed18.zip/Beyond.class Infected: Trojan.Java.ClassLoader.k skipped
C:\Documents and Settings\ed\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arr3.jar-1bde2f45-6c57ed18.zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\Application Data\AOL OCP\AIM\Storage\data\darussianwashere\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\History\History.IE5\MSHist012007011720070118\index.dat Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\Temp\~DFE70F.tmp Object is locked skipped
C:\Documents and Settings\Vit1.VIT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Vit1.VIT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Vit1.VIT\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8B1EF1B4-08BF-4961-BC12-59296C5426D1}\RP62\A0018117.exe Object is locked skipped
C:\System Volume Information\_restore{8B1EF1B4-08BF-4961-BC12-59296C5426D1}\RP62\A0018123.exe Object is locked skipped
C:\System Volume Information\_restore{8B1EF1B4-08BF-4961-BC12-59296C5426D1}\RP62\A0018143.exe Object is locked skipped
C:\System Volume Information\_restore{8B1EF1B4-08BF-4961-BC12-59296C5426D1}\RP62\A0018144.exe Object is locked skipped
C:\System Volume Information\_restore{8B1EF1B4-08BF-4961-BC12-59296C5426D1}\RP62\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\VIT.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\cszxr.ren Infected: Trojan-Downloader.Win32.Agent.uj skipped
C:\WINDOWS\Temp\dmowl.ren Infected: Trojan.Win32.Small.fb skipped
C:\WINDOWS\Temp\ZLT06525.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT06528.TMP Object is locked skipped
Scan process completed.

Edited by kamotu, 17 January 2007 - 07:25 PM.


#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 18 January 2007 - 10:22 AM

Hey there,
Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Click Start | Control Panel.
Double click the Java icon.
Click Settings under "Temporary Internet Files".
Press Delete Files.
A window will open with three options to clear the cache.
- Delete Files
- View Applications
- View Applets
Click OK on "Delete Temporary Files" window.
Note: This deletes all the Downloaded Applications and Applets from the cache.
Click OK on "Temporary Files Settings" window.

Let's clean out your temporary internet files:
Close all open windows before we start.
Go to Start | Control Panel | Internet Options | General.
Click the Delete Cookies button.
Next to it, click the Delete Files button.
When prompted, place a check in: 'Delete all offline content', click OK

If you have Firefox installed, we need to clean out these temporary files as well:
Go to Tools | Options.
Click Privacy.
Press the Clear button located to the right of each option (History, Cookies, Cache).
Click OK to finish, before closing it.
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Now we'll clean other temporary files and your Recycle Bin:
Go to Start | Run | type: cleanmgr | OK.
Let it scan your system for files to remove.
Make sure 'Temporary Files', 'Temporary Internet Files', and 'Recycle Bin' are the only things checked.
Press OK to remove them.

Reboot into Normal Mode.
Then let me know how things seem to be running now.
Thanks
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 18 January 2007 - 06:03 PM

Hello, thank you for your reply.

I have experienced some problems carrying out your request.

I went to the control panel in safe mode and there was NO Java icon. I checked control panel in normal mode and there isn't one either.

As a matter of fact, I've had this trojan in my Java folder for quite a long time. I scan my computer maybe once every 2 weeks, and every single time I remember, the one in my sun/java folder is ALWAYS there. For some reason, I never really payed much attention to it though.

I've tried even deleting the Sun folder, but it came back anyway, so I ignored it, and never really thought of it until now.

I successfully carried out the other tasks, and perhaps the loading time at start up was just slightly faster, but it was basically hardly noticeable.

Thanks for your time.

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 19 January 2007 - 10:52 AM

Hey again,
Ok, there's a program we can download that will remove these files:

Please download ATF Cleaner. Don't run it yet.

Now, please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Reboot into Normal Mode again.

I successfully carried out the other tasks, and perhaps the loading time at start up was just slightly faster, but it was basically hardly noticeable.

Basically, what I meant by my question was- do all your malware problems seem to be solved? Once these are gone, I can give you a few recommendations that will help to speed up your computer a bit.
So, post back letting me know if your malware problem has been solved.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 19 January 2007 - 06:10 PM

Hello, thanks for your reply.

Sorry about that, I misunderstood what you said.

Thanks to your help, all my malware problems are solved. I scanned with several scanning programs and they all came out clean.

Thanks so much for your help!

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 20 January 2007 - 04:51 AM

Great job! :thumbsup:

There are many programs that are available to moniter programs that run when you start up your computer, and you can disable uneccessary ones from running; hence speeding up your computer's boot-up time. An example of a program would be Startup Inspector. I do not personally have any experience of using this program, but I know of many people who do use it to great success, so I will recommend it to you.
However, Windows also has an in-built program in which you can disable certain programs from running at startup called the System Configuration Utility. This is accessed by going to Start | Run and typing msconfig. This will open the program, and then click on the Startup tab at the top. You will get a list of all the programs that currently run when your computer boots up, many of which are needed, but some are unecessary and can be disabled. Please make sure you check these names on Google or here before disabling them, like I said, many of them are needed for your computer to be able to startup successfully. I personally use this utility, as I feel there is no point downloading a program for something that is pretty simple for you to do yourself.
Also, there is an article here at BC for sorting out a slow computer, including some steps that go far more into detail that what I'm going to here. This can be found here:
http://www.bleepingcomputer.com/forums/t/44690/slow-computer/

Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
If, of course, you encounter any more problems, please let me know and I'll try my best to sort them out for you.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 kamotu

kamotu
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:07 AM

Posted 20 January 2007 - 10:39 AM

Hello, thanks for the reply and the helpful information.

However, I have a question, when I run msconfig and go to startup, I get three really strange ones.

It's a bit hard to explain, so I took a screenshot and pointed them out.

http://i5.photobucket.com/albums/y196/kamotu/msconfig.jpg

Thanks for your time.

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 21 January 2007 - 06:44 AM

Hey again,
It is possible that the "squared" entries are caused by a foreign language that Windows can't show, but I'd like to take a look at two sections of your registy that should provide us the answers.
Please go to Start | Run, and copy and paste the following (one at a time):

regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"

regedit /e C:\look2.txt "HKEY_LOCAL_MACHINE\SOFTWARE\microsoft\windows nt\currentversion\windows"


Press OK after each one. It won't look like it's doing anything, don't be alarmed.
Then Click on Start | My Computer | Local Disk (C:) and you should see two new files have been created, called look.txt and look2.txt.
I'd like you to post both of these in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users