Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Ok, a few months back, Norton antivirus detected a trojan, but my sub. had expired so i dl'd AVG (full version)instead. Now, since day one it's found a virus called Trojan horse proxy.x (where x has had a few different names, most recently MVL) At any rate, AVG deletes the file often located in the same place and/or system restore. Now i can't find any info in the virus online (not in english anyway) and i've run AVG in safemode. I run SpyDoctor S and D, AdAware SE, CCleaner, and the ultimate troubleshooter regularly.
Well i've run HiJack this becaue i always see that recommended and here's the logfile. Bear in mind that i've run an AVG scan and the file was deleted and i've not restarted the computer before doing the HJthis scan, thanks in advance.
EDIT(removed Hijack This log until asked)
Please post your Hijack This log.
Please download SmitFraudFix from this link http://siri.urz.free.fr/Fix/Smitfra... Then extract the contents to your desktop.
!!!! Only run option #1 as runing the other options on an uninfected computer will damage the desktop.!!!!
Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
0 
Ok jabuck, thanks for the help. Here's the SmitFraud report...
--------------------
SmitFraudFix v2.168Scan done at 10:02:36,04, 2007-04-17
Run from C:\Documents and Settings\Michael\Skrivbord\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\iid.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program\Delade filer\Logitech\KhalShared\KHALMNPR.exe
C:\Program\DELADE~1\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program\Delade filer\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Advanced MP3 Catalog Pro\AMC3.exe
C:\Program\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\cmd.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Michael\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Min aktuella startsida"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce Networking Controller - Miniport för paketschemaläggning
DNS Server Search Order: 81.26.227.3
DNS Server Search Order: 195.54.122.204
DNS Server Search Order: 195.54.122.198
DNS Server Search Order: 195.54.122.200HKLM\SYSTEM\CCS\Services\Tcpip\..\{0A83443A-025E-4B6E-A1EC-01B93749EC38}: DhcpNameServer=81.26.227.3 195.54.122.204
195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0A83443A-025E-4B6E-A1EC-01B93749EC38}: DhcpNameServer=195.54.122.199 81.26.227.3195.54.122.204 195.54.122.198
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0A83443A-025E-4B6E-A1EC-01B93749EC38}: DhcpNameServer=81.26.227.3 195.54.122.204195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS3\Services\Tcpip\..\{0A83443A-025E-4B6E-A1EC-01B93749EC38}: DhcpNameServer=81.26.227.3 195.54.122.204195.54.122.198 195.54.122.200
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=195.54.122.199 81.26.227.3 195.54.122.204 195.54.122.198
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=81.26.227.3 195.54.122.204 195.54.122.198 195.54.122.200
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
----------------
----------------
And here's the hijack this report...
Logfile of HijackThis v1.99.1
Scan saved at 10:08:48, on 2007-04-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\iid.exe
C:\WINDOWS\system32\MAFWTray.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\Grisoft\AVG7\avgamsvr.exe
C:\Program\Grisoft\AVG7\avgupsvc.exe
C:\Program\Grisoft\AVG7\avgemc.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program\DELADE~1\PCSuite\Services\SERVIC~1.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program\Delade filer\Logitech\KhalShared\KHALMNPR.exe
C:\Program\DELADE~1\LogiShrd\LComMgr\LVComSX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program\Delade filer\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\svchost.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program\Advanced MP3 Catalog Pro\AMC3.exe
C:\Program\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.exe
C:\Program\AMD\PowerNow! Demo\PowerNowDashboard.exe
C:\Program\hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hotmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Program\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Program\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program\Delade filer\Logitech\KhalShared\KHALMNPR.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Net iD] C:\WINDOWS\system32\iid.exe
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKLM\..\Run: [nTrayFw] C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Chronos] C:\Program\Chronos\Chronos.exe s
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} - http://adobe.kodakgallery.co.uk/dow...
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} - http://by106fd.bay106.hotmail.msn.c...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVG7\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVPrcSrv - Logitech Inc. - c:\program\delade filer\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program\Delade filer\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program\Delade filer\Ulead Systems\DVD\ULCDRSvr.exe
0
I don't see much in the logs.
Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan.
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives.
A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:
If so, click it and then click the next icon right below and select Move incurable.
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log on your desktop.
0
Ok, sorry this took so long, i've been so busy. I've done exactly as you describe, but i'm curious, is it correct that you want me to post the DrWeb log file from the scan i did before rebooting? Or should i scan again? Plus i'm posting a screenshot of my latest AVG event log in case it's any help. Thanks.
Dr Web...
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.78.1;Probably BACKDOOR.Trojan;Moved.;
inst.exe;C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_2.2.82.1;Probably BACKDOOR.Trojan;Moved.;
Process.exe;C:\Documents and Settings\Michael\Skrivbord\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;C:\Documents and Settings\Michael\Skrivbord\SmitfraudFix;Tool.ShutDown.11;Moved.;
UltimateTroubleshooter.exe;C:\Downloads\The.Ultimate.Troubleshooter.v3.20-RES-crk;Probably BACKDOOR.Trojan;Moved.;
Tut_support.exe;C:\Program\AnswersThatWork\Troubleshooter;Modification of BackDoor.Generic.987;Moved.;
UltimateTroubleshooter.exe;C:\Program\AnswersThatWork\Troubleshooter;Probably BACKDOOR.Trojan;Moved.;
ShowManager.dll;C:\Program\Logitech\VideoCall\dlls;Probably DLOADER.Trojan;Moved.;
A0025716.exe;C:\System Volume Information\_restore{97CA3A47-4ACD-491D-8D4D-8F0E1355EA50}\RP144;Modification of BackDoor.Generic.987;Moved.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Moved.;
RemoveWGA.exe;E:\;Tool.RemoveWGA;Moved.;
Process.exe;E:\SmitfraudFix\SmitfraudFix;Tool.Prockill;Moved.;
restart.exe;E:\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Moved.;
[URL=http://imageshack.us][IMG]http://img480.imageshack.us/img480/4083/avgscreensk1.jpg[/IMG][/URL]Once more, thank you in advance.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
