Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DR/RAR.Qhost.E and TR/ATRAPS.Gen Trojan

Started by Quickwalrus , Jun 19 2009 04:39 PM

  • Please log in to reply

#1
Quickwalrus
Posted 19 June 2009 - 04:39 PM

Quickwalrus

    New Member

  • Member
  • Pip
  • 1 posts
Hello, I recently felt my pc running sluggish and just got the feeling that something was not right. So I ran Avira and this is what was presented to me after the scan.

Avira AntiVir Personal
Report file date: Friday, June 19, 2009 16:14

Scanning for 1476013 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows Vista 64 Bit
Windows version : (plain) [6.1.7100]
Boot mode : Normally booted
Username : SYSTEM
Computer name : TRISTAN-PC

Version information:
BUILD.DAT : 9.0.0.403 17961 Bytes 6/3/2009 17:05:00
AVSCAN.EXE : 9.0.3.6 466689 Bytes 6/9/2009 20:23:23
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.4.87 2982912 Bytes 6/12/2009 20:37:04
ANTIVIR3.VDF : 7.1.4.112 181760 Bytes 6/18/2009 20:29:11
Engineversion : 8.2.0.191
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/25/2009 19:45:42
AESCRIPT.DLL : 8.1.2.9 409978 Bytes 6/17/2009 20:29:12
AESCN.DLL : 8.1.2.3 127347 Bytes 5/25/2009 19:45:41
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/27/2009 19:45:01
AEOFFICE.DLL : 8.1.0.38 196987 Bytes 6/17/2009 20:29:11
AEHEUR.DLL : 8.1.0.133 1798520 Bytes 6/17/2009 20:29:11
AEHELP.DLL : 8.1.3.6 205174 Bytes 6/11/2009 20:16:00
AEGEN.DLL : 8.1.1.45 348532 Bytes 6/9/2009 20:23:23
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.12 180599 Bytes 5/27/2009 19:45:00
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 20:05:41
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 6/9/2009 20:23:23
RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 15:19:48

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files (x86)\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:, F:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, June 19, 2009 16:14

Starting search for hidden objects.
The driver could not be initialized.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'pidgin.exe' - '1' Module(s) have been scanned
Scan process 'RivaTuner.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'WUDFHost.exe' - '0' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'WmiPrvSE.exe' - '0' Module(s) have been scanned
Scan process 'KHALMNPR.exe' - '0' Module(s) have been scanned
Scan process 'SetPoint32.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'SetPoint.exe' - '0' Module(s) have been scanned
Scan process 'RocketDock.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '0' Module(s) have been scanned
Scan process 'dwm.exe' - '0' Module(s) have been scanned
Scan process 'nvSCPAPISvr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'taskhost.exe' - '0' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'nvvsvc.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '0' Module(s) have been scanned
Scan process 'winlogon.exe' - '0' Module(s) have been scanned
Scan process 'lsm.exe' - '0' Module(s) have been scanned
Scan process 'lsass.exe' - '0' Module(s) have been scanned
Scan process 'services.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'wininit.exe' - '0' Module(s) have been scanned
Scan process 'csrss.exe' - '0' Module(s) have been scanned
Scan process 'smss.exe' - '0' Module(s) have been scanned
15 processes with 15 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
Master boot sector HD2
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'F:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '20' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\WinRAR\Zip.SFX
[DETECTION] Contains recognition pattern of the DR/RAR.Qhost.E dropper
C:\Program Files (x86)\Avira\AntiVir Desktop\avnotify.exe
[WARNING] The file could not be opened!
C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\kql0386c.default\Cache\171D70E2d01
[0] Archive type: RAR SFX (self extracting)
--> Zip.SFX
[DETECTION] Contains recognition pattern of the DR/RAR.Qhost.E dropper
Begin scan in 'F:\' <Maxtor>
F:\System Volume Information\_restore{C97B413B-D8C9-41FD-9201-D8BB3E99EBA8}\RP45\A0024251.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan

Beginning disinfection:
C:\Program Files\WinRAR\Zip.SFX
[DETECTION] Contains recognition pattern of the DR/RAR.Qhost.E dropper
[NOTE] The file was moved to '4aac071c.qua'!
C:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\kql0386c.default\Cache\171D70E2d01
[NOTE] The file was moved to '4a6d06ea.qua'!
F:\System Volume Information\_restore{C97B413B-D8C9-41FD-9201-D8BB3E99EBA8}\RP45\A0024251.exe
[DETECTION] Is the TR/ATRAPS.Gen Trojan
[NOTE] The file was moved to '4a6c06e3.qua'!


End of the scan: Friday, June 19, 2009 17:44
Used time: 29:20 Minute(s)

The scan has been done completely.

21443 Scanned directories
260159 Files were scanned
3 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
3 Files were moved to quarantine
0 Files were renamed
3 Files cannot be scanned
260153 Files not concerned
1671 Archives were scanned
3 Warnings
5 Notes

After deleting the infected files I ran HijackThis and found this log to be a little funny. It will not let me remove any of the system files with the "@" in front of them with the files missing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:37:11 PM, on 6/19/2009
Platform: Unknown Windows (WinNT 6.01.3004)
MSIE: Internet Explorer v8.00 (8.00.7100.0000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\RocketDock\RocketDock.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\RivaTuner v2.24\RivaTuner.exe
C:\Program Files (x86)\Mozilla Firefox 3.5 Beta 4\firefox.exe
C:\program files (x86)\avira\antivir desktop\avcenter.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files (x86)\RocketDock\RocketDock.exe"
O4 - Global Startup: Logitech SetPoint.lnk = ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{89149C69-2E69-41C8-A1B2-463DE4573CDF}: NameServer = 68.9.16.30,68.9.16.25
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE0C1CCD-B33E-4F95-B707-ECC45AD41F31}: NameServer = 68.9.16.30,68.9.16.25
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Windows\SysWOW64\nvSCPAPISvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 3937 bytes


I have ran a malware bytes scan and it found nothing as well as another avira scan which turned up nothing as well. Does it appear that my pc is now clean from the trojans or is there any other steps I can take. Also any info on the Hijackthis log would be great.

Thanks in advance.
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP