Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojans and Downloaders are taking over my laptop!

Started by Anika , Apr 04 2007 05:28 PM

  • Please log in to reply

#1
Anika
Posted 04 April 2007 - 05:28 PM

Anika

    New Member

  • Member
  • Pip
  • 5 posts
Hello everyone,
I've been having problems with trojans and dowloaders lately, and now they seem to take over my pc.
It all started like this: the connection to the Internet suddenly stopped, then I noticed that Stop Dialer had been turned off. I tried to start the program again, before reconnecting, but it kept turning off.
After I reconnected to the net a window appeares, asking whether I wanted to install [bleep] Downloader. I pressed Ctrl-Alt-Del and stopped the corresponding Internet browser, and the window disappeared.
After that I noticed a small square (light green) with a green D on it, in the tray, in the right corner.
Until now, whwnever there was a threat (indicated by AVG), but not a virus, I would restore the system to a previous point and everything would be fine.
I did a system restore this time, too, and for a while everything was ok, then one night I heard the noise of the computer trying to connect to the Internet (like the old 56k modems did), and then a registered voice (from the phone company), which said "the user is not abilited for this kind of calls). Luckily enought, my phone plan blocks access to certain phone numbers.
I was worried, because I was workins on the pc and I didnět like it to do things on its own :-(
Another system restore, another short time of peace, then I found a link on the desktop to a certain "Instant Access". I right-clicked on it and looked at the properties, I saw it linked to a program in the Temp files. The link had appeared while I was working on the pc.
Of course, another system restore... and I started to look for advice on the Internet.
I found your site and followed the advice for what to do before posting.
Here are the results:

1 .ATF cleaner - done
2. creating new restore point, flushing all old: done
3. AVG Anti-Spyware:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 01:03:08 02.04.2007

+ Scan result:

C:\Documents and Settings\dor\Documenti\MY docs\Documenti\Musica\killer-mini-sites.exe -> Adware.eNSHandle : Cleaned with backup (quarantined).
C:\Documents and Settings\dor\Desktop\Niche Report\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\Programmi\Instant Buzz\IBBar.dll -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\Programmi\Instant Buzz\IBDaemon.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\Programmi\Instant Buzz\IBMH.dll -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\Programmi\Instant Buzz\IBSetup.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\Programmi\SetupInstantBuzz.exe -> Adware.InstantBuzz : Cleaned with backup (quarantined).
C:\WINDOWS\system32\OLD70.tmp -> Trojan.Obfuscated.dr : Cleaned with backup (quarantined).
::Report end

InstantBuzz is a bar that I have installed, they serve ads on a bar and in exchange my ads are seen on other people's bars. I thought it wasn't something dangerous.

I have also performed the Ewido scan online, and each time I perform it I get a message from AVG antivirus: that there is a trojan downloader in C:\:eND.exe, when I tell it to heal or destroy it anwers: Access denied.
But when I go under C:\ etc. I don't find the file (even if I can see all the system files).
4. Super Anti Spyware - done. Here is the log:
SUPERAntiSpyware Scan Log
Generated 03/28/2007 at 01:40 AM

Application Version : 3.6.1000

Core Rules Database Version : 0
Trace Rules Database Version: 1217

Scan type : Quick Scan
Total Scan Time : 00:17:13

Memory items scanned : 468
Memory threats detected : 0
Registry items scanned : 898
Registry threats detected : 5
File items scanned : 7028
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\dor\Cookies\dor@doubleclick[1].txt
C:\Documents and Settings\dor\Cookies\dor@tribalfusion[1].txt
C:\Documents and Settings\dor\Cookies\dor@cgi-bin[1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

5. Panda antivirus: done. Here is the log:

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Adware:Adware/Alexa-Toolbar Not disinfected C:\Documents and Settings\dor\Desktop\Niche Report\taskplussetup.exe
Adware:Adware/Aureate-Radiate Not disinfected C:\Documents and Settings\dor\Desktop\PLR\turnkey2.zip[turnkey_part_2/Wholesale_Site.zip][Wholesale_Site/downloads/profitsoftware.zip][profitsoftware/ADWIZARD.exe][advert.dll]
Adware:Adware/Aureate-Radiate Not disinfected C:\Documents and Settings\dor\Desktop\PLR\turnkey3.zip[turnkey_part_3/creditsite.zip][creditsite/downloads/profitsoftware.zip][profitsoftware/ADWIZARD.exe][advert.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\dor\Documenti\SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\RESTORE.INS[C:/OEMCUST/TOOLS/WIN32/PSKILL.EXE]
Potentially unwanted tool:Application/Pskill.A

I have deleted the files containing alexa tootlbar and profitsoftware, but I don't know what the pskill.exe might be.

6. AVG antivirus: done
it says there are no infected files on my pc, it only says that C:\windows\system32\kernel32.dll and :\windows\system32\shell32.dll were modified
I have looked at the properties of these files and the last modification was done in 2004, so maybe it has nothing to do with it.

By the way, each time I found the downloader before, I would perform an AVG scan (but I don't know how to save the log) and it found all kind of .exe files under C:\System Volume Information\restore (numbers).

7. Hijack This
Logfile of HijackThis v1.99.1
Scan saved at 01:26:57, on 05.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\Programmi\Norton AntiVirus\navapsvc.exe
C:\Programmi\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\slserv.exe
C:\Programmi\Virtual CD v4 SDK\system\vcssecs.exe
C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
C:\Programmi\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\StopDialers\StopDialer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programmi\Grisoft\AVG7\bak\avgcc.exe
C:\Programmi\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe
C:\Documents and Settings\dor\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Programmi/Surf%20Starter%20Pro/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programmi\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programmi\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programmi\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Programmi\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programmi\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programmi\File comuni\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programmi\File comuni\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Programmi\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmi\File comuni\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programmi\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster] C:\Programmi\Uniblue\Registry Booster\RegistryBooster.exe /S
O4 - Startup: Stop Dialers.lnk = C:\Programmi\StopDialers\StopDialer.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O15 - Trusted Zone: secure.ingdirect.it
O15 - Trusted Zone: www.ingdirect.it
O15 - Trusted Zone: http://www.sitesell.com
O15 - Trusted Zone: http://Download.Windowsupdate.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {3D8C5C3D-35A0-43F7-8813-36902A92766D} (SoftLinkUpdate Class) - https://sol.softitle...ds/SoftLink.exe
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.my-etrust...er/pestscan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safe...wlscbase969.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128874426325
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {A86FEA6F-95C0-4190-A622-C5C02739CBE3} (WebTransfer Control) - https://sol.softitle...ds/WebTranU.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.co.../AttachMail.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.co...GameManager.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...635/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D2B1639-7992-4FA6-A71B-62418C74196F}: NameServer = 85.37.17.5 85.38.28.77
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programmi\File comuni\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Programmi\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmi\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Programmi\Norton Internet Security\ccPxySvc.exe
O23 - Service: Servizio Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Programmi\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Programmi\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FILECO~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programmi\File comuni\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Virtual CD v4 Security service (SDK - Version) (VCSSecS) - H+H Software GmbH - C:\Programmi\Virtual CD v4 SDK\system\vcssecs.exe

As my laptop heats very much, it took some days to perform all the scans.
Before performing the last one (the AVG which didn't find anything), the computer started to behave strangely again.
When on the Internet, a window appeared, telling me the connection was interrupted (it was the first time a window announced me about that, the other time the connection would just interrupt).
I pressed Ctrl-Alt-Del, couldn't sse anything suspect, so I assumed it was legitimate. As it wouldn't go away, I clicked on the x.
Then I restarted Stop Dialer (which had shut down) and reconnected to the Internet (making sure StopDialer showed the ADSL connection used by me).
Then I re-discovered the infamous green square and a link to Instant Access.
I performed a Ccleaned (I use it frequently), then I had to go out and turned off the PC.
When I started the pc again, the AVG antivirus, the Norton Antivirus, Super Anti Spyware, Stop Dialer were not there. In the end I went to the Programs folder and started the AVG program, which told me the computer is clean.
I also opened Norton, and I saw that the Internet Security was de-activated, I clicked many times on Activate but it wouldn't activate.
I know I shouldn't be supposed to have 2 antivirus programs, Norton came with the computer, I like the fact it lets me know when a program tries to connect to the Internet (I have caught some naughty things like this), I didn't renew the subscription, but I kept it. (I'm a little bit angry with Norton, as it let me open some files and only after told me they were infected.) Then I installed AVG and we've been very happy together... until now (I never had any problems with both Norton and AVG running.).
By the way, now AVG can't update.
The conclusion is that in the last few hours these "things", whatever they are, decided which program's don't start at startup anymore, and I started to be a little afraid. Hope to be able to turn on the pc tomorrow morning.
By the way, it's a Packard Bell laptop, I also have SP2 (I didn't download all the updates, for instance those for Windows Media player, which I don't use).

Sorry for "talking" so much, I don't know which are the useful clues and which not.
What can it be and what can I do?
Please help a desperate computer mommy
Thank you very much,
Anika
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP