Trojan Horse Downloader.Generic6.AEPH

By montanecap
Mar 15, 2008
Topic Status:
Not open for further replies.
  1. All,

    Have this nasty Trojan Horse bug that I can't get rid of. When I run an AVG scan, I always get this virus, along with the following notation in the AVG Security status log:

    File: hosts
    Result/Infection: Reading error
    Path: C:\WINDOWS\system32\drivers\etc\hosts

    I'm posting the first half of my HijackThis log (second half to follow):

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 8:34:28 AM, on 3/15/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
    C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Eric Lott\My Documents\?asks\?hkntfs.exe
    C:\Program Files\nvcoi\nvcoi.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\dumprep.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Program Files\HiJackThis_v2.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\dwwin.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2edb2abf-4743-463b-af19-494dddb5c8af} - C:\WINDOWS\system32\qiphyjc.dll (file missing)
    O2 - BHO: {26ce87e7-ed43-bb59-a894-d6659596e963} - {369e6959-566d-498a-95bb-34de7e78ec62} - C:\WINDOWS\system32\ccatkpnc.dll (file missing)
    O2 - BHO: (no name) - {3D3DCCC2-5326-0AA9-0A61-5200CCCCDAEF} - C:\WINDOWS\system32\zeedv.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: 0 - {DD6CD7BA-93FC-4392-B0A1-0CBA8E439BC6} - C:\Program Files\Internet Explorer\vikibesim.dll (file missing)
    O2 - BHO: (no name) - {FF20C6BB-8DCE-4BFA-BEA9-F61362D20FED} - C:\WINDOWS\system32\ddcyx.dll (file missing)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &InstallProvider Search Toolbar - {A9344DE7-59F2-40F8-9AE7-C203B67444DA} - C:\Program Files\Install Provider\InstallProvider.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [209754c4] rundll32.exe "C:\WINDOWS\system32\rmuqdlxf.dll",b
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [rygow] C:\Program Files\Common Files\rygow22011.exe
    O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
    O4 - HKLM\..\Run: [BM23a46758] Rundll32.exe "C:\WINDOWS\system32\snedriod.dll",s
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
    O4 - HKCU\..\Run: [Nce] "C:\Documents and Settings\Eric Lott\My Documents\?asks\?hkntfs.exe"
    O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [FEW] "C:\Program Files\_wef_\sf.exe" /scan
    O4 - HKCU\..\Run: [Pdee] "C:\DOCUME~1\ERICLO~1\MYDOCU~1\RACLE~1\chkdsk.exe" -vt yazb
    O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\lrdsrngm.exe
    O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: &Dial - C:\Program Files\Telephony Toolbar\conf\dialIE.htm
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {08BEF711-06DA-48B2-9534-802ECAA2E4F9} (PlxInstall Class) - https://www.plaxo.com/down/latest/PlaxoInstall.cab
    O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://myphone1.onvoip.net/commpilot.../BwOutlook.CAB
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462...l/SymDlBrg.cab
    O16 - DPF: {C4F8560C-708E-4553-B82A-AD0F236EDEEB} - https://na1.salesforce.com/setup/out...ps/outlook.cab

    Thanks for your help.
  2. montanecap

    montanecap Newcomer, in training Topic Starter

    Here is the second half of my HijackThis log:




    O20 - AppInit_DLLs:
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 11917 bytes

    Any help you could provide in removing this virus would be greatly appreciated.

    Thanks.
  3. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Incorrect HJT version installed or wrong folder
    • Please uninstall your current version of HJT (This can be done through Control Panel => add/remove programs icon => highlight HJT => select change/uninstall button)
    • The LATEST version of Hijackthis (currently v2.0.0.2) can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory. If HijackThis is used from a temp folder it is in danger of being accidentally deleted by Disk Cleanup or similar tools. If you run Hijackthis from the desktop, the files it removes may not be backed up properly.
    • Now you are ready to run HJT, Open it using the icon on your desktop and select Scan now and save a log
    • After the scan is complete please attach the log into the forums using the attach icon above your reply (looks like a paperclip)
      ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so***

    ---------------------------------------------------------------------------------------------------


    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)AVG log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of montanecap only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  4. montanecap

    montanecap Newcomer, in training Topic Starter

    I downloaded the most current version of HijackThis and ran a scan. I have attached the file from the scan.

    Thanks for your help.
  5. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    You really should follow the second half of the instructions. There is a lot of adware and other junk that will be cleaned up through the 15 steps.

    You also have a nasty that we will have to remove manually.

    After following the 15 steps post

    1)combofix log
    2)avgas log
    3)hjt log
  6. montanecap

    montanecap Newcomer, in training Topic Starter

    I forgot to mention that I had previously installed Lavasoft, Spybot and AVG and had run complete scan with all of them, but OK, I will follow your instructions. Thanks.
  7. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I was talking more for the smitfraud and vundo tools. As well as Ccleaner
  8. montanecap

    montanecap Newcomer, in training Topic Starter

    10/4. Be back in touch when I'm done with the 15 step program.
  9. montanecap

    montanecap Newcomer, in training Topic Starter

    Results of 15 step program

    Here you go:

    Completed the 15 step program.

    Results of Panda Antirootkit scan: negative (zero).

    I have attached the HJT, Combofix and AVG Antispyware logs as Word attachments.

    Still having problems.

    Standing by for further instructions...
  10. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    I am not opening a .doc file from an infected machine, can you please just rename the files to end with .txt or .log
  11. montanecap

    montanecap Newcomer, in training Topic Starter

    OK. I misread the instructions about posting the logs. My bad.

    Out of town but returning tomorrow. Will send them to you on Thursday.

    Thanks again.
  12. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

  13. montanecap

    montanecap Newcomer, in training Topic Starter

    Here you go.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.