Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Have Trojans, can't Remove, HiJack This log [RESOLVED]


  • This topic is locked This topic is locked

#1
mandyp

mandyp

    New Member

  • Member
  • Pip
  • 9 posts
I keep getting an AVG alert on Trojans, however when I do a full scan AVG doesn't find anything. I've scanned with Search & Destroy/AdawareSE and used CCleaner, nothing found. I did an online Kapersky scan, here's the log:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Tuesday, August 02, 2005 20:17:23
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/08/2005
Kaspersky Anti-Virus database records: 133452
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: false

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 51032
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 2438 sec

Infected Object Name - Virus Name
C:\WINDOWS\explorer.scf:aioup:$DATA Infected: Trojan-Downloader.Win32.Agent.jb
C:\WINDOWS\explorer.scf:hlzxh:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\ieov32.exe:kbrnl:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\LGICC.DLL:hpjsw:$DATA Infected: Backdoor.Win32.Small.dc
C:\WINDOWS\msdfmap.ini:pczgza:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\notepad.exe:ejnqn:$DATA Infected: Trojan-Downloader.Win32.Agent.jb
C:\WINDOWS\ODBCINST.INI:pkraj:$DATA Infected: Trojan-Downloader.Win32.Agent.bq
C:\WINDOWS\system32\.pif Infected: Trojan-Downloader.BAT.Ftp.z
C:\WINDOWS\uninNMP.exe:dpmpb:$DATA Infected: Trojan-Downloader.Win32.Agent.jb
C:\WINDOWS\uninNMP.exe:zfskc:$DATA Infected: Trojan-Downloader.Win32.Agent.jb
C:\WINDOWS\vbaddin.ini:gjpay:$DATA Infected: Trojan-Downloader.Win32.Agent.bq

Scan process completed.

Here's my Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 21:37:57, on 02/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C8CE634-736D-4EFA-A44E-42EF3C0F5833}: NameServer = 80.225.249.178 80.225.255.58
O17 - HKLM\System\CS1\Services\Tcpip\..\{1C8CE634-736D-4EFA-A44E-42EF3C0F5833}: NameServer = 80.225.249.178 80.225.255.58
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I've ran AVG/Adaware and Search and Destroy off, but still nothing. Can anyone help with getting rid of the Trojans. Any help gratefully received. Oh, have also ran CWS Shredder.

Thanks in advance!

Mandy
  • 0

Advertisements


#2
mandyp

mandyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry don't intend to 'bump' this, but thought I'd better update on what I've now done. I've ran all of the following:

Panda online scan
TrojanScan
AboutBuster
Mwav.exe

When I ran Mwav.exe these entries are a bit of a worry, but I've no idea how to fix it:

Tue Aug 02 23:23:14 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Tue Aug 02 23:23:22 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Tue Aug 02 23:24:39 2005 => File C:\WINDOWS\system32\.pif infected by "Trojan-Downloader.BAT.Ftp.z" Virus! Action Taken: No Action Taken.

I'm trying to sort this out but am now totally stumped. Any help gratefully received and sorry for what appears to be 'bumping'....just wanted to keep my post up to date before I went to bed!

Forgot to say, I can't stay online for too long at a time, it seems to be hanging a lot.

Edited by mandyp, 02 August 2005 - 04:46 PM.

  • 0

#3
mandyp

mandyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Just to update I've ran Ewido, here's the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 20:33:05, 03/08/2005
+ Report-Checksum: F4DD847C

+ Scan result:

C:\WINDOWS\ieov32.exe:kbrnl -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\LGICC.DLL:hpjsw -> Backdoor.Small.dc : Cleaned without backup
C:\WINDOWS\msdfmap.ini:pczgza -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\notepad.exe:ejnqn -> TrojanDownloader.Agent.jb : Cleaned without backup
C:\WINDOWS\ODBCINST.INI:pkraj -> TrojanDownloader.Agent.bq : Cleaned without backup
C:\WINDOWS\system32\TFTP3020 -> Heuristic.Win32.Morphine-Crypted : Cleaned without backup
C:\WINDOWS\uninNMP.exe:dpmpb -> TrojanDownloader.Agent.jb : Cleaned without backup
C:\WINDOWS\uninNMP.exe:zfskc -> TrojanDownloader.Agent.jb : Cleaned without backup
C:\WINDOWS\vbaddin.ini:gjpay -> TrojanDownloader.Agent.bq : Cleaned without backup


::Report End

Also ran Housecall and got rid of some other stuff, here's my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 20:46:07, on 03/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

I've tried and tried to 'fix' this one:
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
It just won't go, not sure it's too much of a problem since I use Firefox (unless a site really won't display). I'll continue to google for this one, but in the meantime if someone can check the rest of my log to make sure it's clean I'd be very grateful.
  • 0

#4
mandyp

mandyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Okay, I now, finally think it's clean...against my better judgement, I thought I'd have a look in the registry and see if I could find .frame.crazywinnings.com and there it was, so I deleted it, rebooted and here's my new HJT log...which is hopefully clean:

Logfile of HijackThis v1.99.1
Scan saved at 21:04:20, on 03/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~2\avgemc.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~2\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
You will have to re-install SpywareGuard. The BHO it uses got removed but is still stuck in the registry.

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)

The rest of the log looks good.

Regards,
  • 0

#6
mandyp

mandyp

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Great, Thanks for checking....I'll reinstall Spyguard!
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,672 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP