6 replies to this topic

[UnknownWonder]

Hi guys =) My AVG recently informed me that I was infected by a trojan called Downloader.Stubby.A. I ran AVG and it appeared that everything was fixed. However, this afternoon i turned on my computer only to be met by another warning, stating that I had been infected by another trojan, this one called Downloader.Dyfica.AC. Yet again AVG ran and cleaned it, saying that everything was fine. If I need to do something manually to remove this trojan, or whatever it might be, I would REALLY appreciate any help you could give. My HJT log is here, just in case anything else needs to be fixed. Thank you

~Steve

Logfile of HijackThis v1.97.7
Scan saved at 5:17:36 PM, on 3/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\imgeocwa.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\Steven\My Documents\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...t/7search/?hkcu
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dictionary.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homep.../start.cgi?hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.sma...t/7search/?hklm
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [sjxukeao] C:\WINDOWS\System32\imgeocwa.exe
O4 - HKLM\..\Run: [BIPWDK] C:\WINDOWS\BIPWDK.exe
O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7832.6917361111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

[CalamityJane]

Hi Steve and Welcome

You have a number of browser hijackers there.

First, You have a CoolWebSearch hijacker and that needs a special (free) tool to remove it called CWShredder.

http://www.spywarein.../CWShredder.exe

1. Just download it, and click on it (You will need to have all browsers and any open windows closed). Hit the *Fix* button to run it. Let it fix what it finds. When done, press *next* and you will get the results, and then *exit*

Alternate download in case the above link is not working:
http://www.majorgeek...6c5901960cc6e24

2. Reboot your PC after running the CWShredder.

3. You also need all the Windows Critical Security Updates for your operating system (this may well be how you got infected). Go here and get all of them recommended:
http://v4.windowsupd.../en/default.asp

4. Scan again with HijackThis and post a new log so we can take care of the others :)

5. Also include with your post back here, what was the name and location (full path) of the file AVG is alerting you on?

[UnknownWonder]

Well, as i said AVG removed them both, BUT for some reason Dyfica came back after I removed Stubby. The location for Stubby was "C:\Documents and settings\steven\local settings\temp\belt.exe"...and Dyfica had two locations which were as follows "C:\program files\intern?2\update\actalert.exe" and "C:\documents and settings\steven\local settings\temporary internet files\content.ie5\cks07se0\acttale?1" . Not that it does much good now that they are gone, BUT im sure ill get a new addition to my family of trojans, and this time i will wait for your advice =) Unless that is a bad idea.

[amvinfe]

Hi,
this value

O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs

corresponds to
http://vil.nai.com/v...ent/v_98684.htm

Scan your PC online

http://www.trendmicr.../enterprise.htm

[CalamityJane]

Well, as i said AVG removed them both, BUT for some reason Dyfica came back after I removed Stubby. The location for Stubby was "C:\Documents and settings\steven\local settings\temp\belt.exe"...and Dyfica had two locations which were as follows "C:\program files\intern?2\update\actalert.exe" and "C:\documents and settings\steven\local settings\temporary internet files\content.ie5\cks07se0\acttale?1" . Not that it does much good now that they are gone, BUT im sure ill get a new addition to my family of trojans, and this time i will wait for your advice =) Unless that is a bad idea.

Unknown, as I said, you have more than one problem there. Have you done steps 1 - 4?

AVG is giving you only one or two detections but there are others showing and most of these are spyware/hijackers.

So please post back with a fresh HijackThis log and what steps you have taken so far, there will be more to do

[UnknownWonder]

Steps 1-4 done, here is my new HJT log

Logfile of HijackThis v1.97.7
Scan saved at 7:38:37 AM, on 3/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\imgeocwa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Steven\My Documents\Hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dictionary.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load
O4 - HKLM\..\Run: [sjxukeao] C:\WINDOWS\System32\imgeocwa.exe
O4 - HKLM\..\Run: [BIPWDK] C:\WINDOWS\BIPWDK.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\progra~1\steam\steam.exe" -silent
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ub...s/GSManager.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7832.6917361111
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

[CalamityJane]

1. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll

O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)

O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\Downloaded Program Files\bridge.dll",Load

O4 - HKLM\..\Run: [sjxukeao] C:\WINDOWS\System32\imgeocwa.exe

O4 - HKLM\..\Run: [BIPWDK] C:\WINDOWS\BIPWDK.exe

O4 - HKLM\..\RunServices: [reload] C:\WINDOWS\reload.vbs
................................
2. Make sure your PC is configued to show hidden files:
How to Show Hidden Files
http://www.xtra.co.n...1916458,00.html

3. Reboot your PC into Safe Mode

How to start the computer in Safe mode (all)
http://service1.syma...001052409420406

4. Delete the following named in bold (if found):

c:\Program Files\iesearchbar (folder)

C:\WINDOWS\System32\imgeocwa.exe (file)

C:\WINDOWS\BIPWDK.exe (file)

C:\WINDOWS\reload.vbs (file)

C:\WINDOWS\Downloaded Program Files\bridge.dll (file, if found)

5. Clear out your Cache (empty the contents of the Temporary Internet Folder) and empty the recycle bin.

6. Reboot and get an online scan at one (prefereably two) of the following) Let them remove or clean any infected files found.

Panda's Active Scan
http://www.pandasoft...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/v.../virusscan.aspx

Reboot your PC after cleaning with the online AV scanners
..........................................................
7. Next, please download this free program to clean up your PC a bit more because of the spyware and junk you had on there.

Updating it first before scanning is very important - please do not skip that step.

Download Adaware (get the free edition)
http://www.lavasoft....ftware/adaware/

Download, install it and open it.
Click on the *Check for Updates Now* button and *connect*.
Let it download and install the updates.
Then press *scan now*.
Let it remove what it finds.

8. When done, reboot your PC

Now, please scan again with HijackThis and post a fresh log :)