Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

tr/proxy.lager.aq.1

Started by mustgetoutmore , May 30 2006 09:08 AM

  • Please log in to reply

#1
mustgetoutmore
Posted 30 May 2006 - 09:08 AM

mustgetoutmore

    New Member

  • Member
  • Pip
  • 1 posts
Hi there
I've been trying to remove several Trojans over the past couple of days but tr/proxy.lager seems to keep coming back.
Spybot can only remove it if the pc is rebooted and then it scans again when re-starting but even when it thinks it has removed it, the AntiVir programme keeps popping up saying it's infected.
I've followed everything in your 'start here' page. I thought the Trojan Hunter had finally done the trick so I re-booted and loaded up ZoneAlarm as I didn't have a firewall apart from my router before. However, shortly after that, the AntiVir popup came back with the same virus error message, so I re-booted and ran the Hijack This report. At the moment, the AntiVir popup hasn't come up, so perhaps it's gone now but I would be grateful if you could just check my log to make sure. The PC is running slowly but otherwise seems to be stable now.
Thanks in advance for your help.


Logfile of HijackThis v1.99.1
Scan saved at 15:40:22, on 30/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Winamp\Winampa.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.com/
N4 - Mozilla: user_pref("browser.startup.homepage", "http://www.ebay.com/"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\zvf5e0m3.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CNetscape_UK.src"); (C:\Documents and Settings\John\Application Data\Mozilla\Profiles\default\zvf5e0m3.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Transponder] C:\WINDOWS\system32\susp.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133267934637
O16 - DPF: {77DD44BF-551D-4E3C-82CD-D637D5018D3C} - http://www.surveys.c.....AST SETUP.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 09:08:53, 30/05/2006
+ Report-Checksum: C24FBC48

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e52dedbb-d168-4bdb-b229-c48160800e81} -> Hijacker.Generic : Cleaned with backup
HKU\S-1-5-21-1085031214-854245398-1060284298-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E52DEDBB-D168-4BDB-B229-C48160800E81} -> Hijacker.Generic : Cleaned with backup
:mozilla.7:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.8:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.9:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.12:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned with backup
:mozilla.19:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned with backup
:mozilla.25:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.28:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.38:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\John\Application Data\Netscape\NSB\Profiles\n6n9rga1.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\WINDOWS\system32\csqschgb.rdj -> Hijacker.Small.js : Cleaned with backup
C:\WINDOWS\system32\idnvbwmu.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\pntunaqm.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\taskdir.dll -> Proxy.Lager.aq : Cleaned with backup
C:\WINDOWS\system32\vdwtybbp.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\system32\winapi32.dll -> Downloader.VB.aan : Cleaned with backup







Trendmicro

Home > Security Advisories > (MS05-004) ASP.NET Path Validation Vulnerability (887219)


(MS05-004) ASP.NET Path Validation Vulnerability (887219)


Vulnerability Identifier: CAN-2004-0847
Discovery Date: Feb 8, 2005
Risk: Important
Vulnerability Assessment Pattern File: 023
Affected Software:
• Microsoft .NET Framework 1.0
• Microsoft .NET Framework 1.1




Trojan hunter

Removed registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskdir

Terminated trojan process 3712 (C:\WINDOWS\system32\taskdir.exe)

Unable to clean trojan file C:\Documents and Settings\John\.jpi_cache\jar\1.0\Counters.jar-2fd117b0-3104b780.zip/web.exe because it is contained in an archive
Unable to clean trojan file C:\Documents and Settings\John\.jpi_cache\jar\1.0\Counters.jar-2fd117b0-3104b780.zip/web.exe/FTqah.exe because it is contained in an archive
Renamed file C:\WINDOWS\system32\taskdir.exe to C:\WINDOWS\system32\taskdir.exe.tcf
Trojan cleaning finished.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP