trojan downloader

morpheus · July 27, 2006, 09:10:57 PM

hi,

kapersky found this

C:\inst.hta Infected: Trojan-Downloader.VBS.Small.ae
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab

I tried dozen scans an other and only kaspersky found something ....

The problem with my pc is that he is very unstable at moment.
When i surf it goes slow.
When i search something in google, i can can try maybey 10 pages and then it blocks,
and when I want to shut down the page, the pc reboots ....

What could this be

GR@PH;<'S · July 27, 2006, 09:27:11 PM

morpheus,
Please can you try at least two if not more of these On-line scans
Panda
TrendMicro
Bit Defender
Kaspersky
Symantec
McAfee
CommandonDemand
Computer Associates
CyberTechHelp
PC Pitstop
Stinger
Also please use one or both of these Trojan scanners
a2
or download and try
TrojanHunter (Note Trojan Scanner 30 day Trial)

Then once you have done clear out your cache folder again ie: Run
CCleaner
(Note in CCleaner: go to >options > advanced > Uncheck "Only delete files in Windows Temp folders older than 48 hours"). but see CCleaner Set up
also in the settup of CCleaner The LS Staff would prefer if you un-tick (un-check) "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)at leat till your pc is clean of spyware/malware
then rescan with Ad-aware doing a "Full Scan" and post your logfile here by using the "Add-reply" feature
If needed here's how to post your Ad-aware Logfile ;)

Here's how to copy your Ad-aware log
click my computer
click local C Drive
then Click Program Files
then Click Lavasoft
then click Ad-aware SE
and then Logs,
find the latest one that you have
(by date & time)
and open it right Click select all
copy and then paste the contents of it here.
(Make sure that all of your Logfile has been posted, sometimes it will require two post's to get it all)
I recommend that you use the WebUpDate just before you scan that way you will always be up to date.

GR@PH;<'S :Hammys pint:

morpheus · July 28, 2006, 07:16:25 PM

hi,

what a job with an unstable pc ....

Bit defender was the only one who found someting
C:\WINDOWS\system32\i Infected with: Backdoor.BotGet.FtpB.Gen
and deleted it ...

here is the ad aware log

Ad-Aware SE Build 1.06r1
Logfile Created on:vrijdag 28 juli 2006 20:34:36
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R116 24.07.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):3 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file

28-7-2006 20:34:36 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\cedric\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-839522115-1060284298-1003\software\macromedia\dreamweaver 4\recent file list
Description : list of recently used files in macromedia dreamweaver

MRU List Object Recognized!
Location: : S-1-5-21-1390067357-839522115-1060284298-1003\software\microsoft\windows media\wmsdk\general
Description : windows media sdk

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 384
ThreadCreationTime : 28-7-2006 17:52:10
BasePriority : Normal

#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 452
ThreadCreationTime : 28-7-2006 17:52:11
BasePriority : Normal

#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 476
ThreadCreationTime : 28-7-2006 17:52:12
BasePriority : High

#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 28-7-2006 17:52:12
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Besturingssysteem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Services en controllertoepassingen
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Alle rechten voorbehouden.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 540
ThreadCreationTime : 28-7-2006 17:52:12
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 704
ThreadCreationTime : 28-7-2006 17:52:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 752
ThreadCreationTime : 28-7-2006 17:52:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 788
ThreadCreationTime : 28-7-2006 17:52:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1024
ThreadCreationTime : 28-7-2006 17:52:23
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1188
ThreadCreationTime : 28-7-2006 17:52:25
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Besturingssysteem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Windows Verkenner
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Alle rechten voorbehouden.
OriginalFilename : EXPLORER.EXE

#:11 [snmp.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1380
ThreadCreationTime : 28-7-2006 17:52:26
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Besturingssysteem Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : SNMP-service
InternalName : snmp.exe
LegalCopyright : © Microsoft Corporation. Alle rechten voorbehouden.
OriginalFilename : snmp.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1400
ThreadCreationTime : 28-7-2006 17:52:27
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [spysweeper.exe]
FilePath : C:\Program Files\Webroot\Spy Sweeper\
ProcessID : 1464
ThreadCreationTime : 28-7-2006 17:52:27
BasePriority : Normal
FileVersion : 3,0,5,1286
ProductVersion : 3, 0
ProductName : Spy Sweeper SDK
CompanyName : Webroot Software, Inc.
FileDescription : Spy Sweeper Engine
LegalCopyright : Copyright (C) 2002 - 2006, All Rights Reserved.
LegalTrademarks : Spy Sweeper is a trademark of Webroot Software, Inc.
OriginalFilename : SpySweeper.exe

#:14 [delttray.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 868
ThreadCreationTime : 28-7-2006 17:52:51
BasePriority : Normal
FileVersion : 5.1.0.01
ProductVersion : 5.1.0.01
ProductName : M Audio Delta Control Panel Interface System Tray Applet
CompanyName : Doug Fetter Software Wizardry
FileDescription : M Audio Delta Control Panel Interface System Tray Applet
InternalName : Delta Panel System Tray Applet
LegalCopyright : Copyright © 2002 Midiman, Inc. All rights reserved.
LegalTrademarks : M Audio (TM) is a legal trademark of MIDIMAN, Inc.
OriginalFilename : DeltTray.EXE
Comments : Developed by Doug Fetter Software Wizardry

#:15 [gsicon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 968
ThreadCreationTime : 28-7-2006 17:52:52
BasePriority : Normal
FileVersion : 3.1.0
ProductVersion : 3.1.0
ProductName : ADSL Modem
CompanyName : Eicon Networks
FileDescription : ADSL Modem Monitor
InternalName : GSICON.EXE
LegalCopyright : Copyright © 2001 Eicon Networks
OriginalFilename : GSICON.EXE

#:16 [dslagent.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 908
ThreadCreationTime : 28-7-2006 17:52:52
BasePriority : Normal

#:17 [ashdisp.exe]
FilePath : C:\PROGRA~1\ALWILS~1\Avast4\
ProcessID : 1048
ThreadCreationTime : 28-7-2006 17:52:53
BasePriority : Normal
FileVersion : 5, 0, 0, 0
ProductVersion : 5, 0, 0, 0
ProductName : avast! Antivirus
FileDescription : avast! service GUI component
InternalName : aswDisp
LegalCopyright : Copyright (c) 2006 ALWIL Software
OriginalFilename : aswDisp.exe

#:18 [e_aicn03.exe]
FilePath : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
ProcessID : 1128
ThreadCreationTime : 28-7-2006 17:53:06
BasePriority : Normal
FileVersion : 1.12
ProductVersion : 1.12
ProductName : EPSON Status Monitor 3
CompanyName : SEIKO EPSON CORPORATION
FileDescription : EPSON Status Monitor 3
InternalName : E_SICN03
LegalCopyright : Copyright (C) SEIKO EPSON CORP. 1999
OriginalFilename : E_SICN03.EXE

#:19 [ewido.exe]
FilePath : C:\Program Files\ewido anti-spyware 4.0\
ProcessID : 3284
ThreadCreationTime : 28-7-2006 18:15:40
BasePriority : Normal
FileVersion : 4, 0, 0, 172
ProductVersion : 4, 0, 0, 172
ProductName : ewido anti-spyware
CompanyName : Anti-Malware Development a.s.
FileDescription : ewido anti-spyware
InternalName : ewido anti-spyware
LegalCopyright : Copyright © 2005 Anti-Malware Development a.s.
OriginalFilename : ewido.exe

#:20 [wmiprvse.exe]
FilePath : C:\WINDOWS\System32\wbem\
ProcessID : 940
ThreadCreationTime : 28-7-2006 18:33:35
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : WMI
InternalName : Wmiprvse.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : Wmiprvse.exe

#:21 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 1740
ThreadCreationTime : 28-7-2006 18:34:20
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (F:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for F:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (G:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for G:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (H:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for H:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (I:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for I:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (J:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for J:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Deep scanning and examining files (K:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for K:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 3

Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 3

20:54:38 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:20:01.578
Objects scanned:240483
Objects identified:0
Objects ignored:0
New critical objects:0

regards

morpheus · July 28, 2006, 08:54:28 PM

hi,

after deleting C:\WINDOWS\system32\i by bitdefender and after rebooting everything is ok
.... hopely for a long time

was this the real problem ???

There is also C:\inst.hta Infected: Trojan-Downloader.VBS.Small.ae found by kaspersky

What should i do with this .... not much to find in google ????

regards

morpheus · July 29, 2006, 12:13:46 PM

Yesterday it was excellent, today it's a bit slower ....

Two remarques

Zone alarm is constantly monitoring (and the days before (off line) , but yesterday when it worked well for an hour of so (see above) there was no monitoring from za .....

When i visit www.destandaard.be and clicking on one of the news items(fotos) i got problems after 2 or 3 pages ..... Slow and not able to return ....
And this was also not the case testerday ....

Could this site have scripts that are in conflict with my pc ....

what should I do

regards

morpheus · July 29, 2006, 07:09:01 PM

hi,

all the trouble is gone when i shut down spysweeper... a conflict ???

regards :smash:

GR@PH;<'S · July 29, 2006, 08:56:34 PM

morpheus,

Quotewhen i shut down spysweeper... a conflict ???

Do you mean you getting an Error message, can you say what it is you are getting.

GR@PH;<'S :Hammys pint:

GR@PH;<'S · July 29, 2006, 09:04:17 PM

morpheus,
Take a look at this post about Spysweeper

QuoteDid you update Webroot Spysweeper to the new version 5.0.5?

Numerous problems have been reported regarding CPU usage at or near 100% with the last update.

http://forums.scotsnewsletter.com/index.php?s=&showtopic=15852&view=findpost&p=193255
http://www.broadbandreports.com/forum/remark,16483017
http://www.castlecops.com/f163-Spysweeper.html (numerous threads)

As far as I know, the problem was solved for everyone who experienced this problem and reverted to version 4.5 (some had to uninstall in safe mode).

GR@PH;<'S :Hammys pint:

morpheus · July 30, 2006, 09:41:29 AM

hi,

no, i get no error messages... it's just much better when i shutt off spysweeper .(4.05)
I try now to figure out how that i can use ss by removing the conflicting program ...
I wrote ss yesterday .... but still no answer ... probably on vacation ... :tease:

regards