Undetected Malware

mumbo12 · August 2008

Recently about a dozen trojans have landed on my PC despite having Bitdefender Internet Security Suite and Spyware Doctor scanning in real time.

Symptoms range from opening up unwanted browser windows with antivirus and casino ads, disappearing menu bars, keyboard mis-typing, crashes, computer slowing, freezes, etc.

Both Bitdefender and Spyware Doctor eventually find & deal with these, but more seem to come along later.

It's as though there's something on my PC that is inviting the trojans on board.

Is there any way that a malicious program could add itself to Bitdefender's Firewall whitelist?

I disabled system restore and did full systems scans then re-enabled system restore, but malware continues to arrive.

I'm not an IT person so am not sure what to do now and have limited technical knowledge. Is there any possibility that someone could help in any way?

I have Belarc Advisor installed if that could help provide any evidence.

mumbo12 · August 2008

Sorry I think I've posted this in the wrong place, how can I move my post please?

Chesda · September 2008

Please download Hijackthis from here.

Install, and run a System Scan with Log. Copy and paste the contents of the log here.

If you find any files that you think are suspicious and is undetected by Bitdefender and Spyware Doctor, scan them here.

Sm3K3R · September 2008

Recently about a dozen trojans have landed on my PC despite having Bitdefender Internet Security Suite and Spyware Doctor scanning in real time.

Symptoms range from opening up unwanted browser windows with antivirus and casino ads, disappearing menu bars, keyboard mis-typing, crashes, computer slowing, freezes, etc.

Both Bitdefender and Spyware Doctor eventually find & deal with these, but more seem to come along later.

It's as though there's something on my PC that is inviting the trojans on board.

Is there any way that a malicious program could add itself to Bitdefender's Firewall whitelist?

I disabled system restore and did full systems scans then re-enabled system restore, but malware continues to arrive.

I'm not an IT person so am not sure what to do now and have limited technical knowledge. Is there any possibility that someone could help in any way?

I have Belarc Advisor installed if that could help provide any evidence.

Use 3d party firewalsl like Jetico,PC Tools Firewall 4,Online Armor Free or Comodo3(all free and with good network filtering,Jetico and PC Tools contain SPI)though this should be done on a clean machine after a fresh instalation.This firewalls may help you find out what is the malware that download those things just by showing you the pop-ups with the location.Most probable you infected yourself from an websute.You should activate in BD the "http traffic scan" option in BD advanced settings ,antivirus customizing button.Aditionally i recommend you for web browsing the free tool named Sandboxie.

For proper elimination of the downloaders use also Spybot Search& Distroy ,Malwarebytes Antimalware and Super AntiSpyware.

mumbo12 · September 2008

Use 3d party firewalsl like Jetico,PC Tools Firewall 4,Online Armor Free or Comodo3(all free and with good network filtering,Jetico and PC Tools contain SPI)though this should be done on a clean machine after a fresh instalation.This firewalls may help you find out what is the malware that download those things just by showing you the pop-ups with the location.Most probable you infected yourself from an websute.You should activate in BD the "http traffic scan" option in BD advanced settings ,antivirus customizing button.Aditionally i recommend you for web browsing the free tool named Sandboxie.

For proper elimination of the downloaders use also Spybot Search& Distroy ,Malwarebytes Antimalware and Super AntiSpyware.

Unfortunately I am not IT savvy so would not attempt to wipe my hard drives and reinstall XP. It sounds like you feel that Bitdefender's Firewall is maybe not up to the job and that third party firewalls might be better :unsure:

I have activated "http traffic scan" in Bitdefender as you suggested and things are much improved but suspect the malware is still lurking on the PC.

Thanks for your advice.

mumbo12 · September 2008

Please download Hijackthis from here.

Install, and run a System Scan with Log. Copy and paste the contents of the log here.

If you find any files that you think are suspicious and is undetected by Bitdefender and Spyware Doctor, scan them here.

Hi Chesda, the Hijackthis log is attached, thank you for offering your help.

/applications/core/interface/file/attachment.php?id=2863" data-fileid="2863" rel="">hijackthis.log

Chesda · September 2008

Hi Chesda, the Hijackthis log is attached, thank you for offering your help.

Could you please copy and paste it onto this thread?

mumbo12 · September 2008

Could you please copy and paste it onto this thread?

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:15:44, on 01/09/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\WINDOWS\system32\CTHELPER.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

C:\Program Files\PrintKey2000\Printkey2000.exe

C:\Program Files\PopTray\PopTray.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\mysql\bin\mysqld-nt.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Spyware Doctor\sdhelp.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe

C:\WINDOWS\system32\DllHost.exe

C:\Program Files\BitDefender\BitDefender 2008\uiscan.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')

O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe

O9 - Extra button: (no name) - AutorunsDisabled - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab

O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtual...iveXClient1.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133532450656

O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/database...timage40803.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab

O20 - Winlogon Notify: ec3c38a3382 - C:\WINDOWS\system32\__c00F362.dat

O20 - Winlogon Notify: __c00D291 - C:\WINDOWS\system32\__c00D291.dat (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

O24 - Desktop Component 0: (no name) - (no file)

--

End of file - 9151 bytes

csalgau · September 2008

Please attach the following file in a password protected archive.

C:\WINDOWS\system32\__c00F362.dat

Also, please download Avis from our HowTo section and upload an Avis System Log.

mumbo12 · September 2008

Please attach the following file in a password protected archive.
C:\WINDOWS\system32\__c00F362.dat
Also, please download Avis from our HowTo section and upload an Avis System Log.

Hi Catalin,

You were spot on with the _c00F362.dat file, Bit Defender decided to quarantine it and identified it as Trojan.Agent.AJTY

I downloaded Spybot Search & Destroy as suggested on this forum, and it identified a file called "a.exe" (also in the system32 folder) as being Smitfraud-C.gp. Both Spyware Doctor and Bitdefender missed this one.

At last my PC seems to working fine again!

Thank you everybody for your help.

csalgau · September 2008

If you still have that file, please submit it for analysis.

mumbo12 · September 2008

If you still have that file, please submit it for analysis.

I have submitted the file as requested via Bitdefender's quarantine interface.

Best regards

mumbo

Sm3K3R · September 2008

Hi Catalin,

You were spot on with the _c00F362.dat file, Bit Defender decided to quarantine it and identified it as Trojan.Agent.AJTY

I downloaded Spybot Search & Destroy as suggested on this forum, and it identified a file called "a.exe" (also in the system32 folder) as being Smitfraud-C.gp. Both Spyware Doctor and Bitdefender missed this one.

At last my PC seems to working fine again!

Thank you everybody for your help.

a.exe ,this is very funny. Few days ago i was searching for an electric schematic of Syncmaster CRT monitor to help me repair it and ,on some site(dont remember exactly) with such adobe reader documents, i got some pop ups from my Jetico firewall ,that something from Sanboxie folder (i use this while browsing) with the name a.exe requests conections and some system privileges.I wiped it out deleting the sandbox folder manually.Unfortunatelly i didnt had acces to it to archive it and send it here.

Undetected Malware

Comments

All Time Leaders

Categories

Defenders of the month