Trojan + Pop Ups

RobTheMonk
RobTheMonk
in Malware talk

Hi,


I keep getting pop-ups from BD saying "Scanning outgoing mail". What does this mean as I'm not sending any mail (or is it what my computer is sending to a server or something).


Also, I have run a full system scan and it has come up with a trojan but I can not delete it and this comes up:


[system] Trojan.Inject.IA No action was possible


[system] Trojan.Inject.IA No action was possible


[system] Trojan.Inject.IA No action was possible


[system] Trojan.Inject.IA No action was possible


I have no idea what to do :S. Please help.


Thanks

Comments

  • Sm3K3R
    Sm3K3R ✭✭✭
    Hi,


    I keep getting pop-ups from BD saying "Scanning outgoing mail". What does this mean as I'm not sending any mail (or is it what my computer is sending to a server or something).


    Also, I have run a full system scan and it has come up with a trojan but I can not delete it and this comes up:


    [system] Trojan.Inject.IA No action was possible


    [system] Trojan.Inject.IA No action was possible


    [system] Trojan.Inject.IA No action was possible


    [system] Trojan.Inject.IA No action was possible


    I have no idea what to do :S. Please help.


    Thanks


    First of all update BD ,then remove your network cable.


    Then disable System restore on all drives from ,Control Panel/System/System Restore->Turn OFF.Some malware keep a copy in system restore to reinfect,thats why you will need to stop system restore temporarly until you remove the infection.


    Then run a deep system scan and post the scan log ,here on the forum.


    Dont forget to set the antivirus to move suspect and infected files to quarantine.


    You can also try a second scan with SpyBot Search and Distroy from here http://www.safer-networking.org/en/spybotsd/index.html


    This is in case the trojan got a brother into your computer <img class=" />


    Good Luck!

  • rootkit
    rootkit ✭✭✭

    Set BD to move the mail in the Infected Folder ;)

  • RobTheMonk
    RobTheMonk
    edited July 2008

    Still no luck. BD does not seem to run in safe mode for me either. Spybot found some stuff, but the trojans are still there. This is what the log says:


    Scan Options:Scan for viruses : Yes


    Scan for adware : Yes


    Scan for spyware : Yes


    Scan for applications : Yes


    Scan for dialers : Yes


    Scan for rootkits : Yes


    Target selection options:Scan registry keys : Yes


    Scan cookies : Yes


    Scan boot sectors : Yes


    Scan memory processes : Yes


    Scan archives : Yes


    Scan runtime packers : Yes


    Scan emails : Yes


    Scan all files : Yes


    Heuristic Scan : Yes


    Scanned extensions :


    Excluded extensions :


    Target ProcessingDefault action for infected objects : Disinfect


    Default action for suspicious objects : None


    Default action for hidden objects : None


    Scan engines summaryNumber of virus signatures : 1363853


    Archive plugins : 42


    Email plugins : 6


    Scan plugins : 12


    Archive plugins : 42


    System plugins : 4


    Unpack plugins : 7


    Overall scan summaryScanned items : 291522


    Infected items : 4


    Suspicious items : 0


    Resolved items : 0


    Individual viruses found : 1


    Scanned directories : 5590


    Scanned boot sectors : 2


    Scanned archives : 2750


    Input-output errors : 14


    Scan time : 00:01:11:20


    Files per second : 68


    Scanned processes summaryScanned : 50


    Infected : 0


    Scanned registry keys summaryScanned : 350


    Infected : 0


    Scanned cookies summaryScanned : 0


    Infected : 0


    Remaining issues:Object Name Threat Name Final Status


    [system] Trojan.Inject.IA No action was possible


    [system] Trojan.Inject.IA No action was possible


    [system] Trojan.Inject.IA No action was possible


    [system] Trojan.Inject.IA No action was possible


    Its telling me that:


    Infected => c:windowssystem32svchost.exe (memory dump)


    There are TWO like this and two which are the same apart from instead of memory dump it has (full dump) instead.


    Any suggestions?


    Apologies if I have posted in the wrong place as well.

  • Sm3K3R
    Sm3K3R ✭✭✭
    edited July 2008


    Please run an aditional tool http://www.trendsecure.com/portal/en-US/to...ools/hijackthis


    After this hijackthis scan post here the log.


    Did you turned off system restore as i advised you?


    BD 2008 is able to scan in safe mode with Start->Programs->BD->BitDefender Manual Scan.


    What did SpyBot Search and Distroy found?


    Good luck!

  • brian.d
    brian.d
    Please run an aditional tool http://www.trendsecure.com/portal/en-US/to...ools/hijackthis


    After this hijackthis scan post here the log.


    Did you turned off system restore as i advised you?


    BD 2008 is able to scan in safe mode with Start->Programs->BD->BitDefender Manual Scan.


    What did SpyBot Search and Distroy found?


    Good luck!


    Hi .. I have been having the same problems as ROB12345.... and have followed the steps in SM3K3Rs last post ...... Here are the results of the Hijack this scan.... Any help will be much appreciated.


    ThanksLogfile of Trend Micro HijackThis v2.0.2


    Scan saved at 14:41:33, on 02/08/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16674)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\WinZip\WZQKPICK.EXE


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\slmdmsr.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe


    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    C:\Program Files\Skype\Phone\Skype.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Documents and Settings\Brian\Desktop\HiJackThis.exe


    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\system32\Notepad.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edit.europe.yahoo.com/config/mail?.intl=uk


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaul...earch.yahoo.com


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


    F3 - REG:win.ini: run=


    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\services.exe


    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [[system]] C:\WINDOWS\system32\drivers\services.exe


    O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll


    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll


    O9 - Extra button: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: @c:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O17 - HKLM\System\CCS\Services\Tcpip\..\{C1A6A15E-16C1-4687-98EF-133ED44DFC6E}: NameServer = 212.230.255.129,212.230.255.1


    O17 - HKLM\System\CCS\Services\Tcpip\..\{CE5157C2-EC32-4EB6-9D28-DBBB0376F91C}: NameServer = 80.58.0.33,80.58.32.97


    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\services.exe (file missing)


    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slmdmsr.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 5294 bytes

  • davidk
    davidk

    Hi,


    sounds like you may be experincing the same problem we had here with an e-mail supposed to be from UPS where a failed delivery took place with an invoice as an attachment. subsquently if the attachment is opened then you are then infected with malware which then sends spam mail out.


    if this is the case you may be contacted by people such as http://www.barracudacentral.com/ or http://cbl.abuseat.org after a genuine e-mail that you try to send cannot be delivered. Your ISP may even be informed and may take further action if action is not taken. So far it seems a rebuild of infected machine(s) are needed as I have yet to see any vendor who have provided a patch/fix.


    from your start comment about receiving repeated prompts about attempted e-mails being sent it sounds like you may be infected with some malware


    Hope this helps.

All Time Leaders

Categories

Defenders of the month