Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old August 29th, 2006, 02:14 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Trojan.Dialer.Premium and Trojan.Downloader.Agent.XXX

I've gotten a virus or spyware recently which Bitdefender 9 detects and tries to move to quarantine and sometimes succeeds or fails. But even if it does manage to move it, the files are right back. When I try to manually delete them and right-click and then delete it says the files do not "exist". Ad-Aware simply gets stuck when it tries to scan the folder with the infected files in it. Deleting them in Safe Mode works, but as soon as I reconnect to the internet the files and Bitdefenders error messages are back within a few minutes.
I should also add that under my connections screen there is a new connection which it attempts to dial with called "Enter" and it dials to the number "5".

Anyway I found this site by typing the files' names in Google and finding a topic with a person who seems to have the same problem.

Heres my log from HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 15:12:37, on 29-8-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Utulities\BitDefender9\vsserv.exe
C:\Utulities\BitDefender9\bdmcon.exe
C:\Utulities\BitDefender9\bdnagent.exe
C:\Utulities\BitDefender9\bdswitch.exe
C:\Utulities\BitDefender9\bdlite.exe
C:\WINDOWS\TEMP\idd4.tmp.exe
C:\Utulities\BitDefender9\bdlite.exe
C:\Utulities\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bitdefender.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Utulities\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Utulities\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Utulities\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Utulities\BitDefender9\bdswitch.exe"
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\UTULIT~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utulities\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utulities\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{766CA2CE-7A55-4116-A222-80000A8D2C2D}: NameServer = 194.134.5.5 194.134.0.97
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Utulities\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Last edited by Xa4; August 29th, 2006 at 02:27 PM.
Reply With Quote
  #2  
Old August 30th, 2006, 05:56 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Hello and welcome to CTH,

Download the trial version of Ewido Security Suite from here and install it.

After installation, double-click the icon on your Desktop to launch Ewido.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update Ewido to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update Ewido.

Now close Ewido (don't scan just yet).


Reboot into Safe Mode. At startup tap F8 and select Safe Mode (see here).

Make sure all windows are closed and run Ewido. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.


Then reboot back to Normal Mode. Run a new scan with HijackThis and post that and the Ewido log back here please.
Reply With Quote
  #3  
Old August 30th, 2006, 07:04 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Thanks for helping me.

Anyway I've done all that and here are the logs.

The Hijackthis log.
Quote:
Logfile of HijackThis v1.99.1
Scan saved at 20:06:59, on 30-8-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Utulities\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Utulities\BitDefender9\vsserv.exe
C:\Utulities\BitDefender9\bdmcon.exe
C:\Utulities\BitDefender9\bdnagent.exe
C:\Utulities\BitDefender9\bdswitch.exe
C:\Utulities\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Utulities\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bitdefender.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Utulities\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [BDMCon] "C:\Utulities\BitDefender9\bdmcon.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "C:\Utulities\BitDefender9\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "C:\Utulities\BitDefender9\bdswitch.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Utulities\ewido anti-spyware 4.0\ewido.exe" /minimized
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\UTULIT~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utulities\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Utulities\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winccf32 - C:\WINDOWS\SYSTEM32\winccf32.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Utulities\ewido anti-spyware 4.0\guard.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Utulities\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
And heres the log from Ewido.
Quote:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:04:13 30-8-2006

+ Scan result:



C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\CZA1EH2N\srvwac[1].exe -> Dialer.PlayGames.l : No action taken.
C:\WINDOWS\Temp\win116.tmp.exe -> Dialer.PlayGames.l : No action taken.
C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\O327M389\L2[1].exe -> Downloader.Small.dod : No action taken.
C:\WINDOWS\Temp\winA.tmp.exe -> Downloader.Small.dod : No action taken.
C:\WINDOWS\Temp\idd118.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd2B.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd44.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd5D.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd5F.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd63.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd69.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd75.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd96.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddA0.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddA8.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddAF.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddCA.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddE.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddE2.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddF.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\iddFD.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\GF4JQFY5\srvmwa[1].exe -> Trojan.Pakes : No action taken.
C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\GF4JQFY5\srvsud[1].exe -> Trojan.Pakes : No action taken.
C:\WINDOWS\Temp\win5C.tmp.exe -> Trojan.Pakes : No action taken.
C:\WINDOWS\Temp\winD.tmp.exe -> Trojan.Pakes : No action taken.


::Report end
Reply With Quote
  #4  
Old August 30th, 2006, 08:38 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

Disable your antivirus program and go here (http://www.bitdefender.com/scan8/ie.html) and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).
Reply With Quote
  #5  
Old August 30th, 2006, 10:30 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Heres the log:
Though I must add that I could not use ATF cleaner with Firefox because it showed up greyed out. So for Firefox I used Firefox's own 'Clear private data' with everything selected.

Quote:

BitDefender Online Scanner







Scan report generated at: Wed, Aug 30, 2006 - 23:34:29









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


00:36:52

Files


213325

Folders


2727

Boot Sectors


2

Archives


1486

Packed Files


18491







Results

Identified Viruses


2

Infected Files


5

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


5







Engines Info

Virus Definitions


451684

Engine build


AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins


13

Archive plugins


39

Unpack plugins


5

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\WINDOWS\Temp\win116.tmp.exe


Infected with: Trojan.Dialer.Premium

C:\WINDOWS\Temp\win116.tmp.exe


Disinfection failed

C:\WINDOWS\Temp\win116.tmp.exe


Deleted

C:\WINDOWS\Temp\win2B.tmp


Infected with: Trojan.Dialer.Premium

C:\WINDOWS\Temp\win2B.tmp


Disinfection failed

C:\WINDOWS\Temp\win2B.tmp


Deleted

C:\WINDOWS\Temp\win2B.tmp.exe


Infected with: Trojan.Dialer.Premium

C:\WINDOWS\Temp\win2B.tmp.exe


Disinfection failed

C:\WINDOWS\Temp\win2B.tmp.exe


Deleted

C:\WINDOWS\Temp\win44.tmp.exe


Infected with: Trojan.Downloader.Agent.XXX

C:\WINDOWS\Temp\win44.tmp.exe


Disinfection failed

C:\WINDOWS\Temp\win44.tmp.exe


Deleted

C:\WINDOWS\Temp\winAF.tmp.exe


Infected with: Trojan.Downloader.Agent.XXX

C:\WINDOWS\Temp\winAF.tmp.exe


Disinfection failed

C:\WINDOWS\Temp\winAF.tmp.exe


Deleted




















Reply With Quote
  #6  
Old August 31st, 2006, 07:52 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Please run another Ewido scan and post the results. How is your system running now?
Reply With Quote
  #7  
Old August 31st, 2006, 06:22 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
I did another scan but it's still not gone.

Quote:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:26:19 31-8-2006

+ Scan result:



C:\WINDOWS\Temp\idd11E.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd123.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd125.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd138.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd13F.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd140.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd14C.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd14E.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd158.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd161.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd16F.tmp.exe -> Trojan.Dialer.qy : No action taken.
C:\WINDOWS\Temp\idd4.tmp.exe -> Trojan.Dialer.qy : No action taken.


::Report end
Reply With Quote
  #8  
Old August 31st, 2006, 08:58 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Download Killbox from http://www.cybertechhelp.com/downloa...pocket-killbox, unzip the file to your Desktop and have it ready to use.

Run Killbox and select the below files (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot.

C:\WINDOWS\Temp\idd11E.tmp.exe
C:\WINDOWS\Temp\idd123.tmp.exe
C:\WINDOWS\Temp\idd125.tmp.exe
C:\WINDOWS\Temp\idd138.tmp.exe
C:\WINDOWS\Temp\idd13F.tmp.exe
C:\WINDOWS\Temp\idd140.tmp.exe
C:\WINDOWS\Temp\idd14C.tmp.exe
C:\WINDOWS\Temp\idd14E.tmp.exe
C:\WINDOWS\Temp\idd158.tmp.exe
C:\WINDOWS\Temp\idd161.tmp.exe
C:\WINDOWS\Temp\idd16F.tmp.exe
C:\WINDOWS\Temp\idd4.tmp.exe

Reboot and run Ewido to verify that they did delete.
Reply With Quote
  #9  
Old August 31st, 2006, 09:18 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Non of the files you named are still in that folder. Infact I get the feeling those files keep making new versions or copies of themselves, cause each time I emptied my Temp folder (I can delete the files in safe mode) New files with a slightly different name will appear within a few minutes even in Safe mode.

Each time I check my temp folder there are a few files more, I haven't deleted them today and my guess there are between 100-200 files now with nearly the same name.

At the moment I am typing this there is:
1 folder named "tmp00002541"
1 MS-DOS-batchfiles named winA.tmp
100-200 win(insert letter or number).tmp
3 idd(insert letter or number.tmp.exe files which all try to dial every now and then but I keep denying them internet access when Bitdefender asks.
5 win(insert letter or number.tmp.exe files

The names of the .exe files are:
idd12E.tmp
idd131.tmp
idd142.tmp
idd164.tmp
win13F.tmp
win120.tmp
win130.tmp
win137.tmp
win157.tmp

Last edited by Xa4; August 31st, 2006 at 09:32 PM.
Reply With Quote
  #10  
Old September 3rd, 2006, 03:25 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
download SmitfraudFix.zip from here

Unzip it to your desktop and doubleclick on smitfraudfix.cmd.

Choose Option 1 and hit Enter to generate a report about the infected files. Please save the Log (it will save to C:\rapport.txt) and post it here.
Reply With Quote
  #11  
Old September 3rd, 2006, 10:54 AM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Heres the rapport:

Quote:
SmitFraudFix v2.83

Scan done at 11:58:55,01, zo 03-09-2006
Run from C:\Documents and Settings\XA4\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\XA4\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\XA4\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="sockspy.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
Reply With Quote
  #12  
Old September 4th, 2006, 02:59 AM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Boot into Safe Mode (see here) and doubleclick on smitfraudfix.cmd again.

Choose Option 2 and hit Enter to delete the files responsible for the infection.

Disk Cleanup will run

Answer the question: Voulez-vous nettoyer le registre? (Do you want to clean your registry ?) o/n with O (oui -> yes) and hit Enter

The fix will stop if wininet.dll is infected. If so, answer the question: Corriger le fichier infecté? (Do you want to fix the infected file ?) o/n with O (oui -> yes) and hit Enter

A second report will be generated, please save it and type q and hit Enter to exit the program.
Reply With Quote
  #13  
Old September 5th, 2006, 03:55 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Heres the rapport.

Quote:
SmitFraudFix v2.83

Scan done at 16:57:45,81, di 05-09-2006
Run from C:\Documents and Settings\XA4\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Reply With Quote
  #14  
Old September 8th, 2006, 03:59 PM
dahli's Avatar
dahli dahli is offline
CTH Subscriber
 
Join Date: Oct 2004
Location: in a van down by the river
Posts: 5,335
Run Ewido again and post the log.
Reply With Quote
  #15  
Old September 8th, 2006, 09:01 PM
Xa4 Xa4 is offline
New Member
 
Join Date: Aug 2006
Posts: 12
Heres the Ewido log, it simply keeps coming back, files get created in the Windows/Temp folder even in safe mode. My guess is Ewido does remove the trojans but something keeps re-installing them. It happened after I opened an .exe (which I don't have anymore). My guess is that .exe installed something that keeps installing these files in the Temp folder. Is there anyway I can find out what's creating them?

Quote:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:04:13 8-9-2006

+ Scan result:



C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\GF4JQFY5\srvoxg[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\GF4JQFY5\srvpzh[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\O327M389\srvtjk[1].exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win14C.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\win7.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winA.tmp.exe -> Dialer.PlayGames.l : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\XA4\Application Data\Mozilla\Firefox\Profiles\hjnp1ovv.default\coo kies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\XA4\Local Settings\Temporary Internet Files\Content.IE5\O327M389\srvzak[1].exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winB.tmp.exe -> Trojan.Pakes : Cleaned with backup (quarantined).


::Report end
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
Cant get rid of Trojan.Dialer.Premium and Trojan.downloader.agent.xxx anix Malware Removal 3 September 4th, 2006 01:37 AM
I have "trojan.dialer.premium" AND "trojan.downloader.agent.xxx" pls help chrisrigg Malware Removal 3 September 4th, 2006 01:18 AM
I have "trojan.dialer.premium" AND "trojan.downloader.agent.xxx" pls help chrisrigg Windows XP 1 September 2nd, 2006 11:56 AM
Trojan Horse Downloader.Agent.2.T & Downloader.Agent.2.T tony1982 Malware Removal 8 August 6th, 2004 01:49 AM
Downloader Agent Trojan Cisage Malware Removal 8 June 27th, 2004 05:23 PM


All times are GMT +1. The time now is 07:29 PM.