Undetected Malware
Recently about a dozen trojans have landed on my PC despite having Bitdefender Internet Security Suite and Spyware Doctor scanning in real time.
Symptoms range from opening up unwanted browser windows with antivirus and casino ads, disappearing menu bars, keyboard mis-typing, crashes, computer slowing, freezes, etc.
Both Bitdefender and Spyware Doctor eventually find & deal with these, but more seem to come along later.
It's as though there's something on my PC that is inviting the trojans on board.
Is there any way that a malicious program could add itself to Bitdefender's Firewall whitelist?
I disabled system restore and did full systems scans then re-enabled system restore, but malware continues to arrive.
I'm not an IT person so am not sure what to do now and have limited technical knowledge. Is there any possibility that someone could help in any way?
I have Belarc Advisor installed if that could help provide any evidence.
Comments
-
Sorry I think I've posted this in the wrong place, how can I move my post please?
0 -
Recently about a dozen trojans have landed on my PC despite having Bitdefender Internet Security Suite and Spyware Doctor scanning in real time.
Symptoms range from opening up unwanted browser windows with antivirus and casino ads, disappearing menu bars, keyboard mis-typing, crashes, computer slowing, freezes, etc.
Both Bitdefender and Spyware Doctor eventually find & deal with these, but more seem to come along later.
It's as though there's something on my PC that is inviting the trojans on board.
Is there any way that a malicious program could add itself to Bitdefender's Firewall whitelist?
I disabled system restore and did full systems scans then re-enabled system restore, but malware continues to arrive.
I'm not an IT person so am not sure what to do now and have limited technical knowledge. Is there any possibility that someone could help in any way?
I have Belarc Advisor installed if that could help provide any evidence.
Use 3d party firewalsl like Jetico,PC Tools Firewall 4,Online Armor Free or Comodo3(all free and with good network filtering,Jetico and PC Tools contain SPI)though this should be done on a clean machine after a fresh instalation.This firewalls may help you find out what is the malware that download those things just by showing you the pop-ups with the location.Most probable you infected yourself from an websute.You should activate in BD the "http traffic scan" option in BD advanced settings ,antivirus customizing button.Aditionally i recommend you for web browsing the free tool named Sandboxie.
For proper elimination of the downloaders use also Spybot Search& Distroy ,Malwarebytes Antimalware and Super AntiSpyware.0 -
Use 3d party firewalsl like Jetico,PC Tools Firewall 4,Online Armor Free or Comodo3(all free and with good network filtering,Jetico and PC Tools contain SPI)though this should be done on a clean machine after a fresh instalation.This firewalls may help you find out what is the malware that download those things just by showing you the pop-ups with the location.Most probable you infected yourself from an websute.You should activate in BD the "http traffic scan" option in BD advanced settings ,antivirus customizing button.Aditionally i recommend you for web browsing the free tool named Sandboxie.
For proper elimination of the downloaders use also Spybot Search& Distroy ,Malwarebytes Antimalware and Super AntiSpyware.
Unfortunately I am not IT savvy so would not attempt to wipe my hard drives and reinstall XP. It sounds like you feel that Bitdefender's Firewall is maybe not up to the job and that third party firewalls might be better
I have activated "http traffic scan" in Bitdefender as you suggested and things are much improved but suspect the malware is still lurking on the PC.
Thanks for your advice.0 -
Hi Chesda, the Hijackthis log is attached, thank you for offering your help./applications/core/interface/file/attachment.php?id=2863" data-fileid="2863" rel="">hijackthis.log
0 -
Hi Chesda, the Hijackthis log is attached, thank you for offering your help.
Could you please copy and paste it onto this thread?0 -
Could you please copy and paste it onto this thread?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:15:44, on 01/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\PrintKey2000\Printkey2000.exe
C:\Program Files\PopTray\PopTray.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\BitDefender\BitDefender 2008\uiscan.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKUS\S-1-5-18\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Startup: PopTray.lnk = C:\Program Files\PopTray\PopTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - https://www.microsoft.com/resources/virtual...iveXClient1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1133532450656
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - https://transfers.ds.microsoft.com/FTM/Tran...ransferCtrl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://hutchence.armstrong.com/ib/database...timage40803.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://creative.com/su/ocx/15016/CTPID.cab
O20 - Winlogon Notify: ec3c38a3382 - C:\WINDOWS\system32\__c00F362.dat
O20 - Winlogon Notify: __c00D291 - C:\WINDOWS\system32\__c00D291.dat (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 9151 bytes0 -
Please attach the following file in a password protected archive.
C:\WINDOWS\system32\__c00F362.dat
Also, please download Avis from our HowTo section and upload an Avis System Log.0 -
Please attach the following file in a password protected archive.
C:\WINDOWS\system32\__c00F362.dat
Also, please download Avis from our HowTo section and upload an Avis System Log.
Hi Catalin,
You were spot on with the _c00F362.dat file, Bit Defender decided to quarantine it and identified it as Trojan.Agent.AJTY
I downloaded Spybot Search & Destroy as suggested on this forum, and it identified a file called "a.exe" (also in the system32 folder) as being Smitfraud-C.gp. Both Spyware Doctor and Bitdefender missed this one.
At last my PC seems to working fine again!
Thank you everybody for your help.0 -
If you still have that file, please submit it for analysis.
0 -
If you still have that file, please submit it for analysis.
I have submitted the file as requested via Bitdefender's quarantine interface.
Best regards
mumbo0 -
Hi Catalin,
You were spot on with the _c00F362.dat file, Bit Defender decided to quarantine it and identified it as Trojan.Agent.AJTY
I downloaded Spybot Search & Destroy as suggested on this forum, and it identified a file called "a.exe" (also in the system32 folder) as being Smitfraud-C.gp. Both Spyware Doctor and Bitdefender missed this one.
At last my PC seems to working fine again!
Thank you everybody for your help.
a.exe ,this is very funny. Few days ago i was searching for an electric schematic of Syncmaster CRT monitor to help me repair it and ,on some site(dont remember exactly) with such adobe reader documents, i got some pop ups from my Jetico firewall ,that something from Sanboxie folder (i use this while browsing) with the name a.exe requests conections and some system privileges.I wiped it out deleting the sandbox folder manually.Unfortunatelly i didnt had acces to it to archive it and send it here.0