Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: Trojans wont let me go to anti-malware web addresses!!  (Read 3653 times)

0 Members and 1 Guest are viewing this topic.

chaklo469

    Topic Starter


    Newbie

    Trojans wont let me go to anti-malware web addresses!!
    « on: May 31, 2009, 09:26:25 AM »
    Hello y'all, newb here with first post.

    Down to buisness;

    Windows XP Home SP3
    Avira AntiVir personal scan file:



    Avira AntiVir Personal
    Report file date: Sunday, May 31, 2009  09:45

    Scanning for 1441077 virus strains and unwanted programs.

    Licensed to:      Avira AntiVir PersonalEdition Classic
    Serial number:    0000149996-ADJIE-0001
    Platform:         Windows XP
    Windows version:  (Service Pack 3)  [5.1.2600]
    Boot mode:        Normally booted
    Username:         chaka
    Computer name:    HOME

    Version information:
    BUILD.DAT     : 8.2.0.353      17048 Bytes   5/15/2009 12:02:00
    AVSCAN.EXE    : 8.1.4.10      315649 Bytes  11/18/2008 14:21:26
    AVSCAN.DLL    : 8.1.4.0        40705 Bytes   5/26/2008 13:56:40
    LUKE.DLL      : 8.1.4.5       164097 Bytes   6/12/2008 18:44:19
    LUKERES.DLL   : 8.1.4.0        12033 Bytes   5/26/2008 13:58:52
    ANTIVIR0.VDF  : 7.1.0.0     15603712 Bytes  10/27/2008 17:30:36
    ANTIVIR1.VDF  : 7.1.2.12     3336192 Bytes   2/11/2009 20:44:00
    ANTIVIR2.VDF  : 7.1.4.38     2692096 Bytes   5/29/2009 20:46:43
    ANTIVIR3.VDF  : 7.1.4.40       11264 Bytes   5/30/2009 20:46:44
    Engineversion : 8.2.0.180
    AEVDF.DLL     : 8.1.1.1       106868 Bytes   5/30/2009 20:48:46
    AESCRIPT.DLL  : 8.1.2.0       389497 Bytes   5/30/2009 20:48:42
    AESCN.DLL     : 8.1.2.3       127347 Bytes   5/30/2009 20:48:34
    AERDL.DLL     : 8.1.1.3       438645 Bytes   11/4/2008 19:58:38
    AEPACK.DLL    : 8.1.3.18      401783 Bytes   5/30/2009 20:48:29
    AEOFFICE.DLL  : 8.1.0.36      196987 Bytes   5/30/2009 20:48:13
    AEHEUR.DLL    : 8.1.0.129    1761655 Bytes   5/30/2009 20:48:08
    AEHELP.DLL    : 8.1.2.2       119158 Bytes   5/30/2009 20:47:13
    AEGEN.DLL     : 8.1.1.44      348532 Bytes   5/30/2009 20:47:10
    AEEMU.DLL     : 8.1.0.9       393588 Bytes  10/14/2008 16:05:56
    AECORE.DLL    : 8.1.6.12      180599 Bytes   5/30/2009 20:46:58
    AEBB.DLL      : 8.1.0.3        53618 Bytes  10/14/2008 16:05:56
    AVWINLL.DLL   : 1.0.0.12       15105 Bytes    7/9/2008 14:40:05
    AVPREF.DLL    : 8.0.2.0        38657 Bytes   5/16/2008 15:28:01
    AVREP.DLL     : 8.0.0.3       155688 Bytes   5/30/2009 20:46:48
    AVREG.DLL     : 8.0.0.1        33537 Bytes    5/9/2008 17:26:40
    AVARKT.DLL    : 1.0.0.23      307457 Bytes   2/12/2008 14:29:23
    AVEVTLOG.DLL  : 8.0.0.16      119041 Bytes   6/12/2008 18:27:49
    SQLITE3.DLL   : 3.3.17.1      339968 Bytes   1/22/2008 23:28:02
    SMTPLIB.DLL   : 1.2.0.23       28929 Bytes   6/12/2008 18:49:40
    NETNT.DLL     : 8.0.0.1         7937 Bytes   1/25/2008 18:05:10
    RCIMAGE.DLL   : 8.0.0.51     2371841 Bytes   6/12/2008 19:48:07
    RCTEXT.DLL    : 8.0.52.0       86273 Bytes   6/27/2008 19:34:37

    Configuration settings for the scan:
    Jobname..........................: Windows System Directory
    Configuration file...............: c:\program files\avira\antivir personaledition classic\sysdir.avp
    Logging..........................: low
    Primary action...................: interactive
    Secondary action.................: ignore
    Scan master boot sector..........: on
    Scan boot sector.................: on
    Boot sectors.....................: C:,
    Process scan.....................: on
    Scan registry....................: on
    Search for rootkits..............: on
    Scan all files...................: Intelligent file selection
    Scan archives....................: on
    Recursion depth..................: 20
    Smart extensions.................: on
    Macro heuristic..................: on
    File heuristic...................: medium

    Start of the scan: Sunday, May 31, 2009  09:45

    Starting search for hidden objects.
    C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090531-094504-7F1BF2A5\AVSCAN-00000005.dll
       
    • Archive type: HIDDEN
    [INFO]      The file is not visible.
        --> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090531-094504-7F1BF2A5\AVSCAN-00000005.dll
          [DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.JW back-door program
    C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090531-094504-7F1BF2A5\AVSCAN-0000000A.sys
       
    • Archive type: HIDDEN
    [INFO]      The file is not visible.
        --> FIL\\\?\C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\TEMP\AVSCAN-20090531-094504-7F1BF2A5\AVSCAN-0000000A.sys
          [DETECTION] Is the TR/Rootkit.Gen Trojan
    The repair notes were written to the file 'C:\Documents and Settings\All Users\Application Data\Avira\AntiVir PersonalEdition Classic\PROFILES\AVSCAN-20090531-094623-9003C82F.avp'.
    c:\windows\system32\tdsscfub.dll
        [INFO]      The file is not visible.
        [DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
        [NOTE]      The file was deleted!
    c:\windows\system32\drivers\tdsspaxt.sys
        [DETECTION]
        [NOTE]      The file was deleted!
    c:\windows\system32\tdssfpmp.dll
        [INFO]      The file is not visible.
    c:\windows\system32\tdssnrsr.dll
        [INFO]      The file is not visible.
        [DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.adb back-door program
        [INFO]      No SpecVir entry was found!
    c:\windows\system32\tdssoeqh.dll
        [DETECTION]
        [INFO]      No SpecVir entry was found!
    c:\windows\system32\tdssosvn.dat
        [INFO]      The file is not visible.
    c:\windows\system32\tdssrhym.log
        [INFO]      The file is not visible.
    c:\windows\system32\tdssriqp.dll
        [INFO]      The file is not visible.
        [DETECTION] Contains a recognition pattern of the (harmful) BDS/TDSS.acs back-door program
        [INFO]      No SpecVir entry was found!
    c:\windows\system32\tdsstkdv.log
        [INFO]      The file is not visible.
    c:\documents and settings\chaka\local settings\temp\tdss8d6f.tmp
        [INFO]      The file is not visible (shell).
        [DETECTION] Is the TR/Patched.CL Trojan
        [INFO]      No SpecVir entry was found!


    End of the scan: Sunday, May 31, 2009  09:46
    Used time: 01:23 Minute(s)

    The scan has been done completely.

          0 Scanning directories
         10 Files were scanned
          6 viruses and/or unwanted programs were found
          0 Files were classified as suspicious:
          2 files were deleted
          0 files were repaired
          0 files were moved to quarantine
          0 files were renamed
          0 Files cannot be scanned
          4 Files not concerned
          0 Archives were scanned
          0 Warnings
          2 Notes
      51894 Objects were scanned with rootkit scan
         15 Hidden objects were found

    The issue I am having is ANY web browser I use (Firefox 3.0.10, IE 8, or Opera) will not let me connect to ANY anti malware sites.

    I get a 'could not connect to.....' prompt.

    I had AVG, but trojan would not let me update definitions.

    I have MaxPC cd with Superantispyware and Malwarebytes, but cannot install, says files are corrupt (only these 2 of course!).

    ALL Google inquires are redirected to malware sites or Apartmentfinder on all browsers.

    I deleted and/or Quarantine through the anti virus but they come back upon reboot.

    I suspect AV is compromisedjavascript:replaceText('%20>:(',%20document.forms.postmodify.message);

    I am at wits end and out of options except format, but do not have XP cd so this is my only hope!




    [attachment deleted by admin]

    chaklo469

      Topic Starter


      Newbie

      Re: Trojans wont let me go to anti-malware web addresses!!
      « Reply #1 on: May 31, 2009, 12:43:53 PM »
      update

      Was able to run hijack this

      Logfile of HijackThis v1.97.7
      Scan saved at 12:23:20 PM, on 5/31/2009
      Platform: Windows XP SP3 (WinNT 5.01.2600)
      MSIE: Internet Explorer v8.00 (8.00.6001.18702)

      Running processes:
      C:\WINDOWS\System32\smss.exe
      C:\WINDOWS\system32\winlogon.exe
      C:\WINDOWS\system32\services.exe
      C:\WINDOWS\system32\lsass.exe
      e:\Program Files\Webroot\WebrootSecurity\WRConsumerService.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\system32\svchost.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
      E:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
      C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
      C:\WINDOWS\system32\nvsvc32.exe
      F:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\MOHAGame\pb\PnkBstrA.exe
      C:\WINDOWS\system32\svchost.exe
      C:\WINDOWS\Explorer.EXE
      C:\WINDOWS\RTHDCPL.EXE
      C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
      C:\WINDOWS\system32\ctfmon.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Internet Explorer\iexplore.exe
      E:\apps\HijackThis.exe

      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
      O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
      O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
      O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
      O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
      O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
      O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)
      O9 - Extra button: Messenger (HKLM)
      O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
      O11 - Options group: [INTERNATIONAL] International
      O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
      O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
      O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.windowsvistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
      O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
      O17 - HKLM\System\CCS\Services\Tcpip\..\{C9F18C6A-744A-4A9B-A644-74ADAA6E8121}: NameServer = 208.67.222.222,208.67.220.220
      O17 - HKLM\System\CCS\Services\Tcpip\..\{EF2FA76B-F1B8-49B8-B1D0-A18671B3A868}: NameServer = 208.67.222.222,208.67.220.220

      Was able to download malwarebytes but freezes on install.

      adaware and spybot will not let mu update.