Undetected Malware

Recently about a dozen trojans have landed on my PC despite having Bitdefender Internet Security Suite and Spyware Doctor scanning in real time.


Symptoms range from opening up unwanted browser windows with antivirus and casino ads, disappearing menu bars, keyboard mis-typing, crashes, computer slowing, freezes, etc.


Both Bitdefender and Spyware Doctor eventually find & deal with these, but more seem to come along later.


It's as though there's something on my PC that is inviting the trojans on board.


Is there any way that a malicious program could add itself to Bitdefender's Firewall whitelist?


I disabled system restore and did full systems scans then re-enabled system restore, but malware continues to arrive.


I'm not an IT person so am not sure what to do now and have limited technical knowledge. Is there any possibility that someone could help in any way?


I have Belarc Advisor installed if that could help provide any evidence.

Comments

  • Sorry I think I've posted this in the wrong place, how can I move my post please?

  • Please download Hijackthis from here.


    Install, and run a System Scan with Log. Copy and paste the contents of the log here.


    If you find any files that you think are suspicious and is undetected by Bitdefender and Spyware Doctor, scan them here.

  • Sm3K3R
    Sm3K3R ✭✭✭
    edited September 2008
    Recently about a dozen trojans have landed on my PC despite having Bitdefender Internet Security Suite and Spyware Doctor scanning in real time.


    Symptoms range from opening up unwanted browser windows with antivirus and casino ads, disappearing menu bars, keyboard mis-typing, crashes, computer slowing, freezes, etc.


    Both Bitdefender and Spyware Doctor eventually find & deal with these, but more seem to come along later.


    It's as though there's something on my PC that is inviting the trojans on board.


    Is there any way that a malicious program could add itself to Bitdefender's Firewall whitelist?


    I disabled system restore and did full systems scans then re-enabled system restore, but malware continues to arrive.


    I'm not an IT person so am not sure what to do now and have limited technical knowledge. Is there any possibility that someone could help in any way?


    I have Belarc Advisor installed if that could help provide any evidence.


    Use 3d party firewalsl like Jetico,PC Tools Firewall 4,Online Armor Free or Comodo3(all free and with good network filtering,Jetico and PC Tools contain SPI)though this should be done on a clean machine after a fresh instalation.This firewalls may help you find out what is the malware that download those things just by showing you the pop-ups with the location.Most probable you infected yourself from an websute.You should activate in BD the "http traffic scan" option in BD advanced settings ,antivirus customizing button.Aditionally i recommend you for web browsing the free tool named Sandboxie.


    For proper elimination of the downloaders use also Spybot Search& Distroy ,Malwarebytes Antimalware and Super AntiSpyware.

  • Use 3d party firewalsl like Jetico,PC Tools Firewall 4,Online Armor Free or Comodo3(all free and with good network filtering,Jetico and PC Tools contain SPI)though this should be done on a clean machine after a fresh instalation.This firewalls may help you find out what is the malware that download those things just by showing you the pop-ups with the location.Most probable you infected yourself from an websute.You should activate in BD the "http traffic scan" option in BD advanced settings ,antivirus customizing button.Aditionally i recommend you for web browsing the free tool named Sandboxie.


    For proper elimination of the downloaders use also Spybot Search& Distroy ,Malwarebytes Antimalware and Super AntiSpyware.


    Unfortunately I am not IT savvy so would not attempt to wipe my hard drives and reinstall XP. It sounds like you feel that Bitdefender's Firewall is maybe not up to the job and that third party firewalls might be better :unsure:


    I have activated "http traffic scan" in Bitdefender as you suggested and things are much improved but suspect the malware is still lurking on the PC.


    Thanks for your advice.

  • Please download Hijackthis from here.


    Install, and run a System Scan with Log. Copy and paste the contents of the log here.


    If you find any files that you think are suspicious and is undetected by Bitdefender and Spyware Doctor, scan them here.


    Hi Chesda, the Hijackthis log is attached, thank you for offering your help.


    /applications/core/interface/file/attachment.php?id=2863" data-fileid="2863" rel="">hijackthis.log

  • Hi Chesda, the Hijackthis log is attached, thank you for offering your help.


    Could you please copy and paste it onto this thread?

  • Could you please copy and paste it onto this thread?


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 22:15:44, on 01/09/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16705)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Ahead\InCD\InCDsrv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe


    C:\WINDOWS\system32\CTHELPER.EXE


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe


    C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Windows Media Player\WMPNSCFG.exe


    C:\Program Files\Spyware Doctor\swdoctor.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe


    C:\Program Files\PrintKey2000\Printkey2000.exe


    C:\Program Files\PopTray\PopTray.exe


    C:\WINDOWS\system32\inetsrv\inetinfo.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


    C:\mysql\bin\mysqld-nt.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Spyware Doctor\sdhelp.exe


    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\Windows Media Player\WMPNetwk.exe


    C:\Program Files\Canon\CAL\CALMAIN.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe


    C:\WINDOWS\system32\DllHost.exe


    C:\Program Files\BitDefender\BitDefender 2008\uiscan.exe


    C:\Program Files\Outlook Express\msimn.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\System32\wbem\wmiprvse.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)


    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"


    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"


    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe


    O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q


    O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')


    O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe


    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe


    O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe


    O9 - Extra button: (no name) - AutorunsDisabled - (no file)


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll


    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll


    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll


    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab


    O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtual...iveXClient1.cab


    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133532450656


    O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab


    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab


    O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/database...timage40803.cab


    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab


    O20 - Winlogon Notify: ec3c38a3382 - C:\WINDOWS\system32\__c00F362.dat


    O20 - Winlogon Notify: __c00D291 - C:\WINDOWS\system32\__c00D291.dat (file missing)


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe


    O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe


    O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    O24 - Desktop Component 0: (no name) - (no file)


    --


    End of file - 9151 bytes

  • csalgau
    csalgau ✭✭
    edited September 2008

    Please attach the following file in a password protected archive.


    C:\WINDOWS\system32\__c00F362.dat


    Also, please download Avis from our HowTo section and upload an Avis System Log.

  • Please attach the following file in a password protected archive.


    C:\WINDOWS\system32\__c00F362.dat


    Also, please download Avis from our HowTo section and upload an Avis System Log.


    Hi Catalin,


    You were spot on with the _c00F362.dat file, Bit Defender decided to quarantine it and identified it as Trojan.Agent.AJTY


    I downloaded Spybot Search & Destroy as suggested on this forum, and it identified a file called "a.exe" (also in the system32 folder) as being Smitfraud-C.gp. Both Spyware Doctor and Bitdefender missed this one.


    At last my PC seems to working fine again!


    Thank you everybody for your help.

  • If you still have that file, please submit it for analysis.

  • If you still have that file, please submit it for analysis.


    I have submitted the file as requested via Bitdefender's quarantine interface.


    Best regards


    mumbo

  • Hi Catalin,


    You were spot on with the _c00F362.dat file, Bit Defender decided to quarantine it and identified it as Trojan.Agent.AJTY


    I downloaded Spybot Search & Destroy as suggested on this forum, and it identified a file called "a.exe" (also in the system32 folder) as being Smitfraud-C.gp. Both Spyware Doctor and Bitdefender missed this one.


    At last my PC seems to working fine again!


    Thank you everybody for your help.


    a.exe ,this is very funny. Few days ago i was searching for an electric schematic of Syncmaster CRT monitor to help me repair it and ,on some site(dont remember exactly) with such adobe reader documents, i got some pop ups from my Jetico firewall ,that something from Sanboxie folder (i use this while browsing) with the name a.exe requests conections and some system privileges.I wiped it out deleting the sandbox folder manually.Unfortunatelly i didnt had acces to it to archive it and send it here.