Computer Hope

Software => Computer viruses and spyware => Topic started by: chaklo469 on May 31, 2009, 09:26:25 AM

Title: Trojans wont let me go to anti-malware web addresses!!
Post by: chaklo469 on May 31, 2009, 09:26:25 AM

Hello y'all, newb here with first post.

Down to buisness;

Windows XP Home SP3
Avira AntiVir personal scan file:

Avira AntiVir Personal
Report file date: Sunday, May 31, 2009 09:45

Scanning for 1441077 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: chaka
Computer name: HOME

Version information:
BUILD.DAT : 8.2.0.353 17048 Bytes 5/15/2009 12:02:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 14:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 20:44:00
ANTIVIR2.VDF : 7.1.4.38 2692096 Bytes 5/29/2009 20:46:43
ANTIVIR3.VDF : 7.1.4.40 11264 Bytes 5/30/2009 20:46:44
Engineversion : 8.2.0.180
AEVDF.DLL : 8.1.1.1 106868 Bytes 5/30/2009 20:48:46
AESCRIPT.DLL : 8.1.2.0 389497 Bytes 5/30/2009 20:48:42
AESCN.DLL : 8.1.2.3 127347 Bytes 5/30/2009 20:48:34
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 19:58:38
AEPACK.DLL : 8.1.3.18 401783 Bytes 5/30/2009 20:48:29
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 5/30/2009 20:48:13
AEHEUR.DLL : 8.1.0.129 1761655 Bytes 5/30/2009 20:48:08
AEHELP.DLL : 8.1.2.2 119158 Bytes 5/30/2009 20:47:13
AEGEN.DLL : 8.1.1.44 348532 Bytes 5/30/2009 20:47:10
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 16:05:56
AECORE.DLL : 8.1.6.12 180599 Bytes 5/30/2009 20:46:58
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 16:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.3 155688 Bytes 5/30/2009 20:46:48
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Windows System Directory
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysdir.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: on
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, May 31, 2009 09:45

Starting search for hidden objects.
C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090531-094504-7F1BF2A5\AVSCAN-00000005.dll

Archive type: HIDDEN

Archive type: HIDDEN

[INFO] The file is not visible.
--> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090531-094504-7F1BF2A5\AVSCAN-0000000A.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan
The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\AVSCAN-20090531-094623-9003C82F.avp'.
c:\windows\system32\tdsscfub.dll
[INFO] The file is not visible.
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was deleted!
c:\windows\system32\drivers\tdsspaxt.sys
[DETECTION]
[NOTE] The file was deleted!
c:\windows\system32\tdssfpmp.dll
[INFO] The file is not visible.
c:\windows\system32\tdssnrsr.dll
[INFO] The file is not visible.
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
[INFO] No SpecVir entry was found!
c:\windows\system32\tdssoeqh.dll
[DETECTION]
[INFO] No SpecVir entry was found!
c:\windows\system32\tdssosvn.dat
[INFO] The file is not visible.
c:\windows\system32\tdssrhym.log
[INFO] The file is not visible.
c:\windows\system32\tdssriqp.dll
[INFO] The file is not visible.
[DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
[INFO] No SpecVir entry was found!
c:\windows\system32\tdsstkdv.log
[INFO] The file is not visible.
c:\documents and settings\chaka\local settings\temp\tdss8d6f.tmp
[INFO] The file is not visible (shell).
[DETECTION] Is the TR/Patched.CL Trojan
[INFO] No SpecVir entry was found!

End of the scan: Sunday, May 31, 2009 09:46
Used time: 01:23 Minute(s)

The scan has been done completely.

0 Scanning directories
10 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
2 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
4 Files not concerned
0 Archives were scanned
0 Warnings
2 Notes
51894 Objects were scanned with rootkit scan
15 Hidden objects were found

The issue I am having is ANY web browser I use (Firefox 3.0.10, IE 8, or Opera) will not let me connect to ANY anti malware sites.

I get a 'could not connect to.....' prompt.

I had AVG, but trojan would not let me update definitions.

I have MaxPC cd with Superantispyware and Malwarebytes, but cannot install, says files are corrupt (only these 2 of course!).

ALL Google inquires are redirected to malware sites or Apartmentfinder on all browsers.

I deleted and/or Quarantine through the anti virus but they come back upon reboot.

I suspect AV is compromisedjavascript:replaceText('%20>:(',%20document.forms.postmodify.message);

I am at wits end and out of options except format, but do not have XP cd so this is my only hope!

[attachment deleted by admin]

Title: Re: Trojans wont let me go to anti-malware web addresses!!
Post by: chaklo469 on May 31, 2009, 12:43:53 PM

update

Was able to run hijack this

Logfile of HijackThis v1.97.7
Scan saved at 12:23:20 PM, on 5/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
e:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
E:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
F:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
E:\apps\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{C9F18C6A-744A-4A9B-A644-74ADAA6E8121}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF2FA76B-F1B8-49B8-B1D0-A18671B3A868}: NameServer = 208.67.222.222,208.67.220.220

Was able to download malwarebytes but freezes on install.

adaware and spybot will not let mu update.