0

Well, I'm back again and I've acquired a trojan dropper it seems. Can anyone help me get rid of it please? Adaware doesn't detect it, Spybot S&D does, but everytime I delete it, it remains. It's in my registry.

Here is it's location: HKEY_USERS\S-1-5-21-790525478-1177238915-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E14DCE67-8FB7-4721-8149-179BAA4D792C}

I'll be glad to give more info if someone helps, thanks.

2
Contributors
10
Replies
11
Views
10 Years
Discussion Span
Last Post by trace526
0

Brilliant. You musta known we couldn't read that...
Post a hijackthis log, please?
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then rename the Hijackthis.exe to imabunny.exe.

Okay, I got it from the page source, it's a backdoor trojan, Ciadoor.
==GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free
-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Start AVG a-s 7.5;
-under Scanner/ Settings please change the default action from Recommended Actions to QUARANTINE, and run the complete system scan.
-press Apply all Actions and Save the log file. Post the log file.
Start hijackthis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

0

well i use nod32, so u want me to uninstall nod32 and install AVG?

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:08:27 PM, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Shared Files\CTSched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Pidgin\pidgin.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\hijack this\HiJackThis(2).exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CreativeTaskScheduler] "C:\Program Files\Creative\Shared Files\CTSched.exe" /logon
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

--
End of file - 3381 bytes

0

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:33:12 PM 8/2/2007

+ Scan result:

C:\System Volume Information\_restore{0115C938-F918-4AD7-9A42-9C070F75CA6C}\RP35\A0008896.ini -> Backdoor.Bifrose.tm : Cleaned with backup (quarantined).
C:\WINDOWS\system32\7E56BF3Wzf.ini -> Backdoor.Bifrose.tm : Cleaned with backup (quarantined).
C:\Program Files\ESET\infected\HDEXL3CA.NQF -> Backdoor.Ciadoor.13 : Cleaned with backup (quarantined).
C:\Documents and Settings\bryan\Cookies\bryan@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\bryan\Cookies\bryan@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.73:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.74:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.75:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.6:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.76:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.32:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.33:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.86:C:\Documents and Settings\bryan\Application Data\Mozilla\Firefox\Profiles\5ektocgm.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.


::Report end

0

Ah... does it feel better now?
"well i use nod32, so u want me to uninstall nod32 and install AVG?" Well, NOD let em in, didn't it? But no, don't change.... AVG you can revert to an on-demand scanner for when you think you need it, just do an update b4 the scan [it will revert anyway after 30 days, n that's how I keep it]. And so far, no scanner catches everything...
Empty that quarantine bin, and you could run ComboFix to check for extras hiding... but your log shows clean.
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
As a precaution, turn OFF, then ON your system restore on all drives to clear old restore points - one was infected.

0

sorry, i was confused for a sec, i thought you had linked to AVG anti virus. well, i followed all steps and the AVG not only detected but also removed the 2 backdoors. It makes me wonder about the protection of NOD32. Im surprised to find out it allowed these infections through. thanks for all help.

0

If one of em was perfect, it would be the only one out there. And pretty soon it would no longer be perfect.
You listening, Mr Gates?
Cheers.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.