Need help with malicious software

By Thenoob
Aug 5, 2007
Topic Status:
Not open for further replies.
  1. I think i might have a keylogger, trojan, or something of the sort. Can you guys please help me get rid of them and check for them? I would greatly appreciate the help. Thanks.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    Someone will likely come by and ask you to run HijackThis.

    But I'd like to know what is happening that you 'think' you might have this malware. Also, do you have an up to date anti-virus program and at least 2 spyware/adware programs that you have scanned with, updating each right before the scan?
  3. Thenoob

    Thenoob Newcomer, in training Topic Starter

    i keep finding downloader.agent.awt and its not going away.
  4. almcneil

    almcneil TechSpot Guru Posts: 1,554

  5. Thenoob

    Thenoob Newcomer, in training Topic Starter

    C:\RECYCLER\NPROTECT\00450481.ZIP/AlienHandSetup.exe That is the file it is in but I can't find it.
  6. almcneil

    almcneil TechSpot Guru Posts: 1,554

    Make sure you quarantine that file. That should at least render it useless. Sometimes you don't need to remove the file, just make sure it can't do anything!
  7. Thenoob

    Thenoob Newcomer, in training Topic Starter

    I quarantined it, but now it doesn't show up under quarantined items. Any other way I can check to see if there are other keyloggers or spyware?
  8. almcneil

    almcneil TechSpot Guru Posts: 1,554

    You can try other anti-malware utilities if you want but I recommend that 1 anti-virus and 3 anti-spyware are enough. I also recommend AVG anti-rootkit.

    Did you try removing it in Safe Mode?
  9. Thenoob

    Thenoob Newcomer, in training Topic Starter

    No, not yet, after i finish these scans I'm going to run spy-bot, avg anti-spyware and rootkit, then probably norton too all in safe mode. Think that will be sufficient?
  10. almcneil

    almcneil TechSpot Guru Posts: 1,554

    Yes, that's sufficient.

    I notice you have Norton. They have an extensive web site where they list manual methods for removing known malware. You can check that to see what else you can do.
  11. Thenoob

    Thenoob Newcomer, in training Topic Starter

    Thanks:D . I need to get this comp cleaned up.
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +34

    This is a strange one! Had to translate sites in France for any info:

    1. Suggest you do search on system for .tmp and .temp files> Edit> Select All> Delete You may first have to open folder, delete files individually.

    2. I found evidence that it came in on a screensaver:
    C:\WINDOWS\SYSTEM32\Grand Canyon Scenic Reflections.scr - > Downloader.Agent.awt:
    3.. Look for this in your system. Use 'scr' first. If found, try right click> Delete or search for the screensaver and remove it.
    If it doesn't show above> Right click on start> Explore> Windows> System32> Grand Canyon.......> right click> Delete

    3.. The NProtect folder is a Norton component; specifically, it's the folder where the Norton Protected Recycle Bin feature stores items you delete:C:\RECYCLER\NPROTECT\00450481.ZIP/AlienHandSetup.exe

    To delete this folder:
    Disabling the Norton Protected Recycle Bin should delete the items Norton has stored in the Recycler folder:> See reply by DMR (Wombat at large) about 2/3 down on this site:
    http://www.daniweb.com/forums/thread52383.html

    4. The only way you can check your system for all malware is using HijackThis. Look for the appropriate location here for directions to run program and post log.

    5. Evidence it got in System Restores so you need to turn off SR to drop all on system.>After you're clean> restart:
    Control Panel> System> System Restore tab> click to CHECK 'Turn off system Restore> Apply> OK. Reverse to start it again.
  13. Thenoob

    Thenoob Newcomer, in training Topic Starter

    I found a huge list of things when I searched for .tmp. Should I delete them all? Hijack this report inc soon. Should I run it in safe mode?
     
  14. almcneil

    almcneil TechSpot Guru Posts: 1,554

    That's the problem!! I had this with a customer recently.

    Norton has a new feature that prevents Windows from deleting anything Norton considers "protected" (it thinks is important.) You need to go into Recycling Bin and manually flush that yourself or disable the feature in Norton Internet Security.

    Thx Bobbye!! Good call!!
  15. Thenoob

    Thenoob Newcomer, in training Topic Starter

    What about my last question?
  16. almcneil

    almcneil TechSpot Guru Posts: 1,554

    Deleting .tmp files is safe although you might find some of your programs have lost recent settings and info.

    Go ahead.
  17. Thenoob

    Thenoob Newcomer, in training Topic Starter

    I meant whether i should run the highjack this program in safe-mode or regular.
  18. almcneil

    almcneil TechSpot Guru Posts: 1,554

    Run HijackThis in both modes.

    Safe Mode has a feature that is both an advantage and disadvantage. One feature of Safe Mode is that it removes or relaxes Windows security features. Certain malware takes advantages of flaws in security features to prevent them from being detected and/or removed. By removing/relaxing the security features, they can now be detected and removed. The disadvantage of Safe Mode is that only a subset of Windows is used. Since some malware runs out of optional components, you may be able to detect it in Normal Mode but not remove it. In Safe Mode, it's not running, hence, you can't detect it. So, you're hosed!!
  19. Thenoob

    Thenoob Newcomer, in training Topic Starter

    Here is the regular one.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:40:59 PM, on 8/5/2007
    Platform: Windows XP SP2 (removed info)If you need this let me know.
    MSIE: Internet Explorer v7.00 (removed info)If you need this let me know.
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
    C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Common Files\AOL\1137811315\ee\AOLSoftware.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\CTHELPER.EXE
    C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
    C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    c:\program files\common files\aol\1137811315\ee\aim6.exe
    C:\Program Files\Norton AntiVirus\NAVW32.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
    O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [IPHSend] "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HostManager] "C:\Program Files\Common Files\AOL\1137811315\ee\AOLSoftware.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [CTXFIREG] C:\My Music\drivers\audio\addon\common\i386\CTxfiReg.exe
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
    O4 - HKLM\..\Run: [Corel Photo Downloader] "C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
    O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
  20. Thenoob

    Thenoob Newcomer, in training Topic Starter

    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

    --
    End of file - 11147 bytes
  21. Thenoob

    Thenoob Newcomer, in training Topic Starter

    Here is the log when i ran it in safemode.

    Moderator Edit: Please post your HijackThis log as an attachment to this thread. Do not copy and paste if not it will be ignored and/or removed.
  22. Thenoob

    Thenoob Newcomer, in training Topic Starter

    Can anyone look at the log for me please?
  23. momok

    momok Newcomer, in training Posts: 2,272

    Hi,

    That log looks clean. However, I need to see one from normal mode to be sure.

    Regards,
    Your friendly momok =)
  24. Thenoob

    Thenoob Newcomer, in training Topic Starter

    The first one on the first page is the normal one.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.