Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Horse SHeur.BVZH etc

Started by john.storer , Jul 12 2008 03:06 PM

  • Please log in to reply

#1
john.storer
Posted 12 July 2008 - 03:06 PM

john.storer

    New Member

  • Member
  • Pip
  • 1 posts
AVG keeps highlighting that I have a trojan horse named SHeur.BVZH or, sometimes, SHeur.BVVWR

I have a 2nd harddrive - the F: drive - used purely for backup and a programme called fapoujiqu.exe keeps appearing in in .... it keeps being highlighted by AVG. Ever since it has appeared, I am unable to access the F: drive

Have downloaded and carried out all the recommended scans

The ActiveScan log reads:


;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-07-12 21:49:19
PROTECTIONS: 1
MALWARE: 34
SUSPECTS: 1
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@atdmt[1].txt
00139535 Application/Processor HackTools No 0 Yes No C:\Downloads\SmitfraudFix\Process.exe
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@tradedoubler[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@fastclick[2].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@mediaplex[1].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@com[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@serving-sys[2].txt
00168095 Cookie/888 TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@888[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@adtech[1].txt
00168113 Cookie/fe.lea.lycos TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][3].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@overture[2].txt
00172483 Cookie/888 TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][3].txt
00172484 Cookie/Cassava TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@bluestreak[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@adultfriendfinder[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\alice@go[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No F:\Documents and Settings\Alice\Cookies\[email protected][1].txt
00509861 Hacktool/AngryScan HackTools No 1 Yes No F:\System Volume Information\_restore{EB116437-8D5C-4F81-9811-311A0AC3C240}\RP489\A0271921.exe
02197130 Trj/Rebooter.J Virus/Trojan No 1 Yes Yes C:\Downloads\SmitfraudFix\Reboot.exe
02967920 Trj/Downloader.MDW Virus/Trojan No 0 Yes Yes F:\System Volume Information\_restore{EB116437-8D5C-4F81-9811-311A0AC3C240}\RP489\A0271914.exe
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location J
;===============================================================================
=================================================================================
===================
No F:\System Volume Information\_restore{EB116437-8D5C-4F81-9811-311A0AC3C240}\RP489\A0271884.exe J
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description J
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================


The Hijackthis logs are as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:51:04, on 12/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Downloads\Virus Repair Package\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [hubideb] C:\WINDOWS\system32\quoujagoupe.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe" -s
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1211884024296
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: AOL Connectivity Service (siatkwaaaoiko) - Unknown owner - C:\WINDOWS\system32\refoupojouf.exe (file missing)

--
End of file - 8406 bytes

The "uninstall" list reads as follows:

Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Audacity 1.2.4
AVG Free 8.0
Belkin Bluetooth Software
Bonjour
CCleaner (remove only)
CSI-Dark Motives
FinalBurner Free v1.30.0.127
Google Gmail Notifier
GreatFamily 2.2.2
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Business Inkjet 1000 Series
iTunes
Java™ 6 Update 6
LimeWire 4.18.2
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.15)
MSN
MSXML 4.0 SP2 (KB936181)
neroxml
NVIDIA Drivers
NVIDIA ForceWare Network Access Manager
NVIDIA Windows 2000/XP Display Drivers
Panda ActiveScan 2.0
QuickTime
Realtek AC'97 Audio
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Office 2007 (KB934062)
Security Update for the 2007 Microsoft Office System (KB936960)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SUPERAntiSpyware Free Edition
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Office 2007 (KB946691)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP