|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
|
Topic Tools |
#1
|
|||
|
|||
I have "trojan.dialer.premium" AND "trojan.downloader.agent.xxx" pls help
This is my first post, so I hope I am ok to post.
I keep getting the above virus alerts through Bitdefender. It says : c:\windows\tempwinc1.tmp.exe ( with the "c1" bit changing to a different number each time,) has the trojan I have checked the forum and downloader all the relavent tools- just need a bit of help in which order to run them all. many thanks and keep up the good work. chris |
#2
|
|||
|
|||
Logfile of HijackThis v1.99.1
Scan saved at 11:38:14, on 02/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\WINDOWS\system32\gsicon.exe C:\WINDOWS\system32\dslagent.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe E:\Utilities\ewido anti-spyware 4.0\guard.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\VIA\RAID\raid_tool.exe C:\Program Files\LogMeIn\RaMaint.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Softwin\BitDefender9\bdoesrv.exe C:\progra~1\softwin\bitdef~1\bdnagent.exe C:\Program Files\LogMeIn\LogMeIn.exe C:\progra~1\softwin\bitdef~1\bdswitch.exe C:\Program Files\LogMeIn\LogMeInSystray.exe E:\Utilities\PVR\URemote.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\Utilities\PVR\Monitor.exe E:\Utilities\HP\HP Software Update\HPWuSchd2.exe E:\Utilities\ewido anti-spyware 4.0\ewido.exe C:\Program Files\Windows Defender\MSASCui.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\svchost.exe E:\Utilities\UltraVNC\winvnc.exe C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\ATI Technologies\ATI.ACE\cli.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender9\vsserv.exe c:\progra~1\softwin\bitdef~1\bdmcon.exe E:\Utilities\winrar\WinRAR.exe C:\DOCUME~1\chris\LOCALS~1\Temp\Rar$EX04.265\Hijac kThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe O4 - HKLM\..\Run: [BDOESRV] "C:\Program Files\Softwin\BitDefender9\bdoesrv.exe" O4 - HKLM\..\Run: [BDNewsAgent] "c:\progra~1\softwin\bitdef~1\bdnagent.exe" O4 - HKLM\..\Run: [BDSwitchAgent] "c:\progra~1\softwin\bitdef~1\bdswitch.exe" O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\LogMeInSystray.exe" O4 - HKLM\..\Run: [WinVNC] "E:\Utilities\UltraVNC\winvnc.exe" -servicehelper O4 - HKLM\..\Run: [URemote] E:\Utilities\PVR\URemote.exe O4 - HKLM\..\Run: [ChangeFilterMerit] E:\Utilities\PVR\ChangeFilterMerit.exe O4 - HKLM\..\Run: [Presto! PVR Monitor] E:\Utilities\PVR\Monitor.exe O4 - HKLM\..\Run: [HP Software Update] E:\Utilities\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [!ewido] "E:\Utilities\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe O4 - Global Startup: Microsoft Office.lnk = E:\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Utilities\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - E:\Utilities\WinHTTrack\WinHTTrackIEBar.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujitsu-siemens.de/De...pi/activex.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing) O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - E:\Utilities\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing) O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing) O23 - Service: VNC Server (winvnc) - Unknown owner - E:\Utilities\UltraVNC\winvnc.exe" -service (file missing) O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing) |
#3
|
|||
|
|||
SmitFraudFix v2.83
Scan done at 12:02:21.45, 02/09/2006 Run from C:\Documents and Settings\chris\Desktop\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» C:\ »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\chris\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LOCALS~1\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs !!!Attention, following keys are not inevitably infected!!! [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="sockspy.dll" »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End |
#4
|
||||
|
||||
Howdy chrisrigg,
No infection showing in the HijackThis log, or the other either (FYI - not good to run scans without knowing what changes they might bring about). Those temp files do have very suspect names, but we can't act on that without knowing for sure they aren't perhaps part of your VNC software running that is being misidentifed. Let's check now. First you need to disable Windows Defender, as it may interfere with repairs. * Open Windows Defender * Click Tools * Click General Settings * Scroll down to Real Time Protection Options * Uncheck Turn on Real Time Protection (recommended) * After you uncheck this, click on the Save button * Close Windows Defender Then open and udpate Ewido (but don't scan just yet). Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF). If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective. --------------------------------------------------- Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode). Make sure all windows are closed and run Ewido. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again. Then reboot back to Normal Mode. Go Here and download Silent Runners to your desktop. Run it, and post back here the log it creates. If your AV queries the script, allow it to run. It's not malicious. It will create a file named Startup Programs, and will notify when the scan is complete. Copy the log from the Startup Programs file back here, along with the Ewido log please. You can use separate posts here if needed. |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
Similar Topics | ||||
Topic | Topic Starter | Forum | Replies | Last Post |
Stubborn "Infection";"Trojan horse Pakes.CFZ" Help! | johndoe24 | Malware Removal | 26 | April 9th, 2009 02:53 AM |
Invasion of a "Trojan.Popuper" and "Ilookup.begin2search" help please pc is toast. | phoenixmarshall | Malware Removal | 61 | February 8th, 2009 03:09 AM |
I have "trojan.dialer.premium" AND "trojan.downloader.agent.xxx" pls help | chrisrigg | Windows XP | 1 | September 2nd, 2006 11:56 AM |
Wanna get rid of "Trojan horse Downloader.Small.10.BE" - Please help | riponmz | Malware Removal | 7 | November 9th, 2004 04:01 AM |
All times are GMT +1. The time now is 03:19 AM.