bellringr 0 Posted October 17, 2004 Share Posted October 17, 2004 When I opened my e-mail tonight, a trojan downloaded itself on my computer without me having done a single thing. AVG let me know about it, but it didn't stop it from downloading. The ONLY thing I had in my e-mail that was new was a notification from TCH about a new PM I had. It was a spam PM from some idiot named pinkwaves968 or something that made no sense. Now, I don't know how this happened, but right now all I care about is getting rid of this trojan. I ran AVG immediately which found it and quarantined it. I deleted it from the quarantined folder. Then I ran Spybot and AdAware. However, things are still popping up on my desktop. I did some Google research and evidentally there are things I need to clean up in the registry but I'm not sure what. I downloaded Hijack This and was wondering if anyone here is knowledgeable enough to tell me what needs to be fixed? Here is my file: Logfile of HijackThis v1.98.2 Scan saved at 9:07:48 PM, on 10/16/2004 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\WINDOWS\System32\CTHELPER.EXE C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE C:\PROGRA~1\MOZILL~1\FIREFOX.EXE C:\Documents and Settings\All Users\Desktop\Pictures\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.totalchoicehosting.com/forums/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 F3 - REG:win.ini: run=C:\WINDOWS\cross\RESET.EXE O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O4 - HKLM\..\Run: [systemTray] SysTray.Exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [updReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe" O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe O4 - HKLM\..\Run: [lwb] C:\WINDOWS\lwb.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe O4 - HKLM\..\Run: [Computer Alarm Clock] C:\PROGRA~1\COMPUT~1\cac.exe O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe O4 - Global Startup: hpoddt01.exe.lnk = ? O4 - Global Startup: Picture Package VCD Maker.lnk = ? O4 - Global Startup: Picture Package Menu.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\Aim95\aim.exe O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm O16 - DPF: Win32 Classes - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab Any help you can provide is greatly appreciated. I'm more than a little upset at AVG for not stopping it before it downloaded, but I guess I need to tighten my settings in Outlook and just turn them off when someone needs to legitimately send me a file. Thanks everyone! Kristi Quote Link to post Share on other sites
jandafields 0 Posted October 17, 2004 Share Posted October 17, 2004 I would suggest using Thunderbird instead of Outlook, and using Firefox instead of Internet Explorer. That should cut down on most infections... Quote Link to post Share on other sites
bellringr 0 Posted October 17, 2004 Author Share Posted October 17, 2004 I already use Firefox, but thanks for that insightful advice. Quote Link to post Share on other sites
TCH-Dick 25 Posted October 17, 2004 Share Posted October 17, 2004 Take a look here for Agent.AS http://www.faqfarm.com/Computer/Virus/Downloader/22744 And this appears to be a key logger O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe http://pestpatrol.com/pestinfo/s/safesurfing.asp Quote Link to post Share on other sites
bellringr 0 Posted October 17, 2004 Author Share Posted October 17, 2004 Dick, I've been going over all of this info for the past hour. I did a search in my registry for that key and didn't find it, and I also didn't find the subfolders mentioned in the first link you sent. Is it possible that I got this cleaned up fast enough that it didn't create these? I'm confused and concerned now. I can't seem to find other indications of infection, but I'm so paranoid now that I need to be SURE that my logs aren't being sent out. It takes a special kind of inhuman slimeball to create things like this where someone can be prepared and still get hit. I have many other things to say about those people, but this is a family forum. I will probably do the restore from my windows disc just to be on the safe side. It says to back up my user files. Can you tell me please what those are exactly? Is that what is under Documents and Settings/all users? Thanks for your help!! Quote Link to post Share on other sites
bellringr 0 Posted October 17, 2004 Author Share Posted October 17, 2004 One more thing - when I reboot, I am getting this program called Privacy Scanner that pops up and wants me to scan my system. Obviously I haven't, and there's nothing in Remove Programs to get rid of it. It says it's from w*w.privacychampion.com. Anyone know who these jerks are? I can't even delete the programs it has installed. :/ Yeah, this is really how I wanted to spend my Sunday. Quote Link to post Share on other sites
TCH-Dick 25 Posted October 17, 2004 Share Posted October 17, 2004 You user files are going to be in My Documents, Desktop, or anyother files you created. Also don't forget any programs that might save data to the directory they are installed in(e.g. games, finance, web design software) You might not find those specific subfolders on your machine. That was the closest description I could find using the information in your post. If you can give us the name of the file AVG found that would help. Not sure about PrivacyChampion, I have never seen it before. I did a search and found it on Download.com. http://www.download.com/Privacy-Champion/3...4-10298479.html Quote Link to post Share on other sites
bellringr 0 Posted October 17, 2004 Author Share Posted October 17, 2004 OK, hubby finally got up and showed me the error I was making when looking for that key in my registry. It WAS there, and we got it, the exe file, and the prefetch file deleted. The second link was the one that did the trick. This was my first foray into the registry. Hubby had always taken care of that before, but now I know. Thank you so much, Dick - these things aggravate and anger me to no end because I feel so powerless to stop them. Would it be your opinion that having deleted this registry entry and exe file means I'm probably safe now? I'm still paranoid to go into anything that requires a password to be entered. Quote Link to post Share on other sites
TCH-Dick 25 Posted October 17, 2004 Share Posted October 17, 2004 Good Job Thumbs Up Would it be your opinion that having deleted this registry entry and exe file means I'm probably safe now? I'm still paranoid to go into anything that requires a password to be entered. You should be OK. Just remember if you ever go back to a previous restore point you would be back where you started. I would just remove all old restore points. http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam Quote Link to post Share on other sites
angiedixon 0 Posted October 21, 2004 Share Posted October 21, 2004 I got Privacy Scanner too, and I *know* I didn't install it. The people at Privacy Champion have been very unhelpful. When asked how to uninstall it, they told me to delete the exe file and the shortcut on my desktop. I have never seen a legitimate program that didn't allow itself to be uninstalled, and I find it very unlikely that this program did not put anything in my registry. I asked them again about the registry, and they didn't reply. I have asked them a THIRD time, not so nicely. Tomorrow I start a public relations campaign from h*ll that will put them in a very bad light. Unless they tell me what they did to my computer and how to fix it. If anyone else has ever encountered these guys, please let me know what your experience was. They seem to be fairly new, but I don't believe they're legitimate purveyors of useful software. I've never had Microsoft Office, for instance, install itself on my computer without my permission and refuse to uninstall. Thanks. Angie Dixon Quote Link to post Share on other sites
bellringr 0 Posted October 22, 2004 Author Share Posted October 22, 2004 I've never had Microsoft Office, for instance, install itself on my computer without my permission and refuse to uninstall. Now THAT would at least be useful! heh I agree - these guys are shady and I plan on posting at places like cnet and download.com. Quote Link to post Share on other sites
VRX 0 Posted October 22, 2004 Share Posted October 22, 2004 Bellringr, Where in the registry is it? I looked in uninstall folder in the registry, but I can't find anything. Can you please post where you found it. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.