several different downloader trojans

Discussion in 'adware, spyware & hijack cleaning' started by spectre, Apr 21, 2004.

Thread Status:
Not open for further replies.
  1. spectre

    spectre Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    5
    Hi all. Been having some trouble here. Within the last two days AVG has notified me of the following on my system: Downloader.Keenval.A, Downloader.Keenval.B, Downloader.Keenval.c, Downloader.Small4.BQ, Downloader.Revop.A, Downloader.Winshow.R, Downloader.Winshow.Y, Startpage, SecThought.E, and Dropper.Inor

    To combat, I have run AVG and Spybot S&D several times and it seems to temporarily help, but they often pop back up.

    I downloaded bazooka last night and made the recommended edits. I turned off system restore after this, turned it back on and then ran Spybot Search and Destroy again (up-to-date definitions) which did not find anything except for cookies.

    I then ran Highjack This and the following is my latest log from last night about 3:00 am. I really would appreciate any advice. I'm tearing my hair out here. thanks so much.

    Logfile of HijackThis v1.97.7
    Scan saved at 3:01:54 AM, on 4/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\DeltTray.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\windows\temp\tWkq67.exe
    C:\windows\temp\SgD9.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.frontiernet.net/
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [tWkq67] C:\windows\temp\tWkq67.exe
    O4 - HKLM\..\Run: [SgD9] C:\windows\temp\SgD9.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/us/en/systemprofiler/SysPro.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
     
  2. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi spectre,

    Welcome to Wilders.

    First turn OFF System Restore.
    1. On the Desktop, right-click My Computer.
    2. Click Properties.
    3. Click the System Restore tab.
    4. Check the box beside "Turn off System Restore".
    5. Click Apply, and then click OK.
    6. Restart the computer. (You must restart your computer to clear the old Restore Points)

    Check the following items in HijackThis.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

    O4 - HKLM\..\Run: [tWkq67] C:\windows\temp\tWkq67.exe
    O4 - HKLM\..\Run: [SgD9] C:\windows\temp\SgD9.exe
    O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\System32\dp-k13w13.exe

    O4 - HKLM\..\Run: [Dpi] C:\Program Files\Common Files\Dpi\dpi.exe

    O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe

    There also may be hidden files. See HERE for how to show hidden files.

    Then reboot into safe mode and delete:

    C:\windows\temp\ <-- Delete everything inside this folder.
    C:\WINDOWS\System32\dp-k13w13.exe
    C:\Program Files\Common Files\Dpi\ <-- entire folder
    C:\WINDOWS\System32\msmc.exe

    Reboot.

    To Turn System Restore back ON.
    1. Follow the above Steps 1 to 3
    2. UNcheck the box beside "Turn off System Restore".
    3. Click Apply, and then click OK.
    4. Restart your computer.
    5. Then CREATE a new restore point.

    Now post a fresh HijackThis log.

    Regards,
    Kent
     
  3. spectre

    spectre Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    5
    many thanks kent.

    I'm am at work right now, but will be home in about an hour and will do the steps you recommended and i'll post back with my results.

    thanks again.
     
  4. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,449
    Location:
    North Carolina, USA
    Hi spectre,

    Either myself or one of the other Experts here will be glad to check out your new log whenrver you have done the fixes and rescanned with HJT.

    Regards,
    Kent
     
  5. spectre

    spectre Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    5
    Alright. Follwed your instructions and here is the latest HJT log. Am I looking any better? thanks.

    Logfile of HijackThis v1.97.7
    Scan saved at 7:33:23 PM, on 4/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINDOWS\System32\DeltTray.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\The Cleaner\tca.exe
    C:\Program Files\The Cleaner\tcm.exe
    C:\WINDOWS\system32\pcs\pcsvc.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.frontiernet.net/
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb01.exe
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
    O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
    O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/us/en/systemprofiler/SysPro.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.com/fixes/PROFILER.CAB
     
  6. spectre

    spectre Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    5
    Oh, also what about this:

    "O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe"

    Bazooka says that it is adaware called promulgate.
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    That is correct. It is also the only malware left in your log.

    Check the item below in HijackThis, close all windows except HijackThis and click Fix checked:

    O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe

    Reboot and delete the C:\WINDOWS\system32\pcs folder.

    You may want to read this: https://www.wilderssecurity.com/showthread.php?t=27971 about how to protect your computer.

    Regards,

    Pieter
     
  8. spectre

    spectre Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    5
    ok, got rid of the promulgate thing and have run avg, spybot S&D and bazooka and all are coming up clean. So far so good.

    I REALLY appreciate the help kent and pieter. you guys are life savers. :)
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,330
    Location:
    Netherlands
    Glad we could help. :)

    Pieter
     
Thread Status:
Not open for further replies.