0

I am having a problem that seems may be common today. I get redirected to random websites when I click on search engine links and I also get a "Failed to Connect" message when I try to access antivirus web sites. My AVG earlier today detected "trojan horse SHeur:chkn" today. I deleted the two occurrences of this trojan that it detected using AVG. I also ran adaware and spybot and I'm still having the problem. I downloaded HJT. Here is my log file. Please help! I am a stressed out college student that really needs my computer back! Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:42 PM, on 9/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Mozy\mozystat.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Mozy\mozybackup.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cgi6.ebay.com/ws/eBayISAPI.dll?MfcISAPICommand=ViewListedItems&since=2&userid=derbycitynick&include=0&rows=200&sort=3&completed=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Mozy Status.lnk = C:\Program Files\Mozy\mozystat.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\Mozy\mozystat.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\Mozy\mozybackup.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9755 bytes

2
Contributors
14
Replies
15
Views
9 Years
Discussion Span
Last Post by jholland1964
0

Hi welcome to daniweb,

Please download Malwarebytes' Anti-Malware (MBA-M) to your Desktop.

* DoubleClick mbam-setup.exe and follow the prompts to install MBA-M.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.

Judy

0

Unfortunately when I click the anti-malware link I get the "Failed to Connect" message. I do have a laptop as well. I guess I should download it with that and move it over with a thumb drive?

0

By the way, any clue how I may have gotten this trojan horse SHeur.chkn or how bad it is?

0

It seems to be working fine now. No more google redirecting or antivirus site blocking.

I really appreciate the help. Does it appear that I did take care of all the bad stuff? Do you see any processes/programs running in the background or during start up that don't need to? Anything that will speed up my computer is definitely helpful.

Here is my malware log:

Malwarebytes' Anti-Malware 1.26
Database version: 1126
Windows 5.1.2600 Service Pack 3

9/7/2008 9:48:33 PM
mbam-log-2008-09-07 (21-48-33).txt

Scan type: Full Scan (C:\|)
Objects scanned: 146765
Time elapsed: 40 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

0

I am having a problem that seems may be common today....By the way, any clue how I may have gotten this trojan horse SHeur.chkn or how bad it is?

Your first comment is an understatement, to say the least! Nearly every MBA-M log I have seen in the last two weeks contains this infection! Have no idea where it comes from.
Here is one definition...

Trojan is a general term for malicious software that is installed under false or deceptive pretenses or is installed without the user's full knowledge and consent. Most Trojans exhibit some form of malicious, hostile, or harmful functionality or behavior. High risks are typically installed without user interaction through security exploits, and can severely compromise system security.

Doesn't tell us much does it?:)
One thing I note in your HJT log is you do not seem to be running a Firewall, are you running the built in Windows Firewall? This won't show in the HJT logs. If you aren't running one then by all means either use the built in Windows firewall or install one of the good free ones available. There are several noted in THIS LINK
Myself, and many others here also highly recommend SpywareBlaster It is truly a MUST HAVE, it is FREE and one super thing is that it DOES NOT run in the background.

Helps prevent the installation of spyware, adware, browser hijackers, dialers, and other unwanted software; blocks many spyware/tracking cookies, and restricts the actions of unwanted sites.

Your Java is also out of date. Go HERE Download the Offline Install file and save it to the desktop.
Once you have done that then go to Add/Remove and Uninstall all previous versions of Java. After the Uninstall is complete go to the Java Install file on the desktop and click it to install the newest version. Once the Install is finished then go back to that link above and on the right side you will see Verify Now. Click that to be certain the install went as planned.

I would also recommend that you TURN OFF the TeaTimer portion of Spybot. Doesn't do much and it runs in the background all the time and it can interfere with cleaning at times.
You can turn it off by opening the program, go up to Mode and make sure it is in Advanced Mode. Then at the bottom left choose Tools and then Click Resident. Take the checkmark OUT OF TeaTimer. Close the program. I also would advise that you uninstall AdAware. This latest version just isn't as good as previous versions and it also now has a service which runs all the time in the background. If you get a firewall, keep SpywareBlaster updated and enabled, including the Restricted Sites portion, keep the Malwarebytes' Anti-Malware program updated. Scan weekly with Spybot, Malwarebytes and remove everything found this will help the computer clean. You also need to think about updating your AVG. I see you are running version 7. This is an old version. New version is AVG8. Some like it, some don't. In the link I gave above for the firewalls there are also links for some very good free antivirus programs, if you decide you don't want to go with AVG8 then download one of those to the desktop, uninstall AVG7 and then install the new antivirus program. Just remember UNINSTALL AVG FIRST. Rule of thumb is ONE antivirus and ONE firewall on a computer.
Judy

0

I do have windows firewall enabled. Is this not secure enough? Would you recommend an additional firewall, or will I be alright with windows firewall?

I really appreciate all your help. Thanks.

0

I do have windows firewall enabled. Is this not secure enough? Would you recommend an additional firewall, or will I be alright with windows firewall?

I really appreciate all your help. Thanks.

Well, I know some will argue with this but I have used the Windows Firewall exclusively for well over 4 years and NEVER had a problem.
I have followed the advice of a fellow from another board, very knowledgable, I might add, who several years ago posted this argument concerning the Windows Firewall;

Windows Firewall blocks only incoming stuff whereas third-party firewalls block both incoming and outgoing stuff. This means that were you to inadvertently allow a trojan to be installed, WF would not prevent it from calling home with whatever information it had managed to harvest from your computer (passwords, monitored keystrokes, etc, etc). So, in theory, a third-party utility will offer a greater level of security than WF. However ...

... simply adopting safe surfing practices (not downloading applications from warez sites or via file-sharing utilities, not installing no-cost applications from little-known developers, etc, etc, etc) and running a good antivirus utility should be sufficient to prevent any trojans or other unwanted items from finding their way onto your computer and so a bi-directional firewall is, IMO, of less importance than many people seem to think.

Furthermore, look back over old threads and you'll find few (if any) instances of a person being "stung" as a result of using WF - but you'll find significantly more threads relating to problems caused by the use of a third-party firewall (botched updates, etc).

There is, however, no "one size fits all" answer here. Should you use your computer for online banking/shopping and should it be shared with file-sharing children, then it might not be a bad idea to install a third-party firewall, if you trust the other users to surf sensibly, then WF is probably perfectly sufficient for your needs.

This is the advice I have followed. Now granted, you did end up with this nasty item on your computer and you are running the Windows Firewall, however, I have seen this very same infection on MULTIPLE computers running any number of different and very respected firewalls both free and paid so honestly I don't believe the use of the Windows Firewall played a part in this...it is your choice. I personally am happy with the Windows Firewall.

You say...ADDITIONAL FIREWALL...Never an ADDITIONAL firewall, the rule is ONE firewall, whether it is the Windows Firewall or something else. So if you DO install another firewall then TURN OFF the Windows Firewall.

0

Today AVG found another infection, trojan horse Dropper.Bravis.A

AVG healed it. I haven't noticed any effects of the virus. Should I do anything else?

0

AVG just found another one: trojan horse downloader.fraudload.U

It also found some more dropper.Bravis.A trojans. It healed most, but said a couple could not be healed because they could not be found.

0

Have you installed or enabled the firewall discussed? Have you installed SpywareBlaster as recommended? Have you installed an updated antivirus program? AVG 7 isn't the most current version of AVG. It is now up to AVG 8. Where were these located on the system? If they were in System Restore you need to set a new, clean restore point, once you are certain the computer is clean. Also empty the Malwarebytes's Quarantine and then run a new full system scan with AVG and see what it comes up with.

0

I do have windows firewall enabled, and I have always have it enabled. I did download SpywareBlaster. I uninstalled AVG 7, and installed AVG 8. I emptied Malwarebyte's quarantine and ran a new full system scan with AVG. AVG found no threats. The viruses were in C:\System Volume Information\_restore....

0

If it isn't too much trouble, could you instruct me on how to do this? I have never done it before. Thanks.

0

If it isn't too much trouble, could you instruct me on how to do this? I have never done it before. Thanks.

Very easy to do. Right click My Computer. Choose Properties. The System Properties box will open and on there you will see several Tabs, one of them being System Restore. Click that Tab. When that opens place a checkmark in Turn Off System Restore, click OK. You probably will then get a message telling you that you are about to turn it off and are you sure, or something to that effect. Say yes or ok, whatever the option is. It will then turn off. Wait a moment and do the same thing only this time Take Out the checkmark. Click Ok. They you might get a message that it is turning on. Say ok or yes if needed. That is it.:)
Judy

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.