|
|||||||
| Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
 |
|
|
Topic Tools |
|
#1
August 29th, 2006, 02:14 PM
|
|||
|
|||
|
Trojan.Dialer.Premium and Trojan.Downloader.Agent.XXX
I've gotten a virus or spyware recently which Bitdefender 9 detects and tries to move to quarantine and sometimes succeeds or fails. But even if it does manage to move it, the files are right back. When I try to manually delete them and right-click and then delete it says the files do not "exist". Ad-Aware simply gets stuck when it tries to scan the folder with the infected files in it. Deleting them in Safe Mode works, but as soon as I reconnect to the internet the files and Bitdefenders error messages are back within a few minutes.
I should also add that under my connections screen there is a new connection which it attempts to dial with called "Enter" and it dials to the number "5". Anyway I found this site by typing the files' names in Google and finding a topic with a person who seems to have the same problem. Heres my log from HijackThis: Logfile of HijackThis v1.99.1 Scan saved at 15:12:37, on 29-8-2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\WINDOWS\Explorer.EXE C:\Utulities\BitDefender9\vsserv.exe C:\Utulities\BitDefender9\bdmcon.exe C:\Utulities\BitDefender9\bdnagent.exe C:\Utulities\BitDefender9\bdswitch.exe C:\Utulities\BitDefender9\bdlite.exe C:\WINDOWS\TEMP\idd4.tmp.exe C:\Utulities\BitDefender9\bdlite.exe C:\Utulities\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bitdefender.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Utulities\Acrobat 7.0\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [BDMCon] "C:\Utulities\BitDefender9\bdmcon.exe" O4 - HKLM\..\Run: [BDNewsAgent] "C:\Utulities\BitDefender9\bdnagent.exe" O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Utulities\BitDefender9\bdswitch.exe" O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\UTULIT~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utulities\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utulities\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{766CA2CE-7A55-4116-A222-80000A8D2C2D}: NameServer = 194.134.5.5 194.134.0.97 O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Utulities\BitDefender9\vsserv.exe" /service (file missing) O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) Last edited by Xa4; August 29th, 2006 at 02:27 PM. 
|
|
#2
August 30th, 2006, 05:56 PM
|
||||
|
||||
|
Hello and welcome to CTH,
Download the trial version of Ewido Security Suite from here and install it. After installation, double-click the icon on your Desktop to launch Ewido. On the top of the main screen click Shield. Then click the word active to change it to inactive. You will need to also update Ewido to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update Ewido. Now close Ewido (don't scan just yet). Reboot into Safe Mode. At startup tap F8 and select Safe Mode (see here). Make sure all windows are closed and run Ewido. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again. Then reboot back to Normal Mode. Run a new scan with HijackThis and post that and the Ewido log back here please.
|
|
#3
August 30th, 2006, 07:04 PM
|
|||
|
|||
|
Thanks for helping me.
 Anyway I've done all that and here are the logs. The Hijackthis log. Quote:
Quote:
|
|
#4
August 30th, 2006, 08:38 PM
|
||||
|
||||
|
Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).
If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. Disable your antivirus program and go here (http://www.bitdefender.com/scan8/ie.html) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee. When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).
|
|
#5
August 30th, 2006, 10:30 PM
|
|||
|
|||
|
Heres the log:
Though I must add that I could not use ATF cleaner with Firefox because it showed up greyed out. So for Firefox I used Firefox's own 'Clear private data' with everything selected. Quote:
|
|
#7
August 31st, 2006, 06:22 PM
|
|||
|
|||
|
I did another scan but it's still not gone.
Quote:
|
|
#8
August 31st, 2006, 08:58 PM
|
||||
|
||||
|
Download Killbox from http://www.cybertechhelp.com/downloa...pocket-killbox, unzip the file to your Desktop and have it ready to use.
Run Killbox and select the below files (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot. C:\WINDOWS\Temp\idd11E.tmp.exe C:\WINDOWS\Temp\idd123.tmp.exe C:\WINDOWS\Temp\idd125.tmp.exe C:\WINDOWS\Temp\idd138.tmp.exe C:\WINDOWS\Temp\idd13F.tmp.exe C:\WINDOWS\Temp\idd140.tmp.exe C:\WINDOWS\Temp\idd14C.tmp.exe C:\WINDOWS\Temp\idd14E.tmp.exe C:\WINDOWS\Temp\idd158.tmp.exe C:\WINDOWS\Temp\idd161.tmp.exe C:\WINDOWS\Temp\idd16F.tmp.exe C:\WINDOWS\Temp\idd4.tmp.exe Reboot and run Ewido to verify that they did delete.
|
|
#9
August 31st, 2006, 09:18 PM
|
|||
|
|||
|
Non of the files you named are still in that folder. Infact I get the feeling those files keep making new versions or copies of themselves, cause each time I emptied my Temp folder (I can delete the files in safe mode) New files with a slightly different name will appear within a few minutes even in Safe mode.
Each time I check my temp folder there are a few files more, I haven't deleted them today and my guess there are between 100-200 files now with nearly the same name. At the moment I am typing this there is: 1 folder named "tmp00002541" 1 MS-DOS-batchfiles named winA.tmp 100-200 win(insert letter or number).tmp 3 idd(insert letter or number.tmp.exe files which all try to dial every now and then but I keep denying them internet access when Bitdefender asks. 5 win(insert letter or number.tmp.exe files The names of the .exe files are: idd12E.tmp idd131.tmp idd142.tmp idd164.tmp win13F.tmp win120.tmp win130.tmp win137.tmp win157.tmp Last edited by Xa4; August 31st, 2006 at 09:32 PM.
|
|
#10
September 3rd, 2006, 03:25 AM
|
||||
|
||||
|
download SmitfraudFix.zip from here
Unzip it to your desktop and doubleclick on smitfraudfix.cmd. Choose Option 1 and hit Enter to generate a report about the infected files. Please save the Log (it will save to C:\rapport.txt) and post it here.
|
|
#11
September 3rd, 2006, 10:54 AM
|
|||
|
|||
|
Heres the rapport:
Quote:
|
|
#12
September 4th, 2006, 02:59 AM
|
||||
|
||||
|
Boot into Safe Mode (see here) and doubleclick on smitfraudfix.cmd again.
Choose Option 2 and hit Enter to delete the files responsible for the infection. Disk Cleanup will run Answer the question: Voulez-vous nettoyer le registre? (Do you want to clean your registry ?) o/n with O (oui -> yes) and hit Enter The fix will stop if wininet.dll is infected. If so, answer the question: Corriger le fichier infecté? (Do you want to fix the infected file ?) o/n with O (oui -> yes) and hit Enter A second report will be generated, please save it and type q and hit Enter to exit the program.
|
|
#13
September 5th, 2006, 03:55 PM
|
|||
|
|||
|
Heres the rapport.
Quote:
|
|
#15
September 8th, 2006, 09:01 PM
|
|||
|
|||
|
Heres the Ewido log, it simply keeps coming back, files get created in the Windows/Temp folder even in safe mode. My guess is Ewido does remove the trojans but something keeps re-installing them. It happened after I opened an .exe (which I don't have anymore). My guess is that .exe installed something that keeps installing these files in the Temp folder. Is there anyway I can find out what's creating them?
Quote:
|
|
| Bookmarks |
«
Previous Topic
|
Next Topic
»
| Topic Tools | |
|
|
Similar Topics
|
||||
| Topic | Topic Starter | Forum | Replies | Last Post |
| Cant get rid of Trojan.Dialer.Premium and Trojan.downloader.agent.xxx | anix | Malware Removal | 3 | September 4th, 2006 01:37 AM |
| I have "trojan.dialer.premium" AND "trojan.downloader.agent.xxx" pls help | chrisrigg | Malware Removal | 3 | September 4th, 2006 01:18 AM |
| I have "trojan.dialer.premium" AND "trojan.downloader.agent.xxx" pls help | chrisrigg | Windows XP | 1 | September 2nd, 2006 11:56 AM |
| Trojan Horse Downloader.Agent.2.T & Downloader.Agent.2.T | tony1982 | Malware Removal | 8 | August 6th, 2004 01:49 AM |
| Downloader Agent Trojan | Cisage | Malware Removal | 8 | June 27th, 2004 05:23 PM |
All times are GMT +1. The time now is 05:18 PM.