Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I have the tr/atraps trojan virus! Please help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 20th, 2009, 11:59 pm

Thanks for the help in advance. I have deleted adobe, shockwave, java, and all other stuff that isnt needed... I have Avira and it keeps detecting this, and no matter what I choose, this dang virus wont go away! (delete, quarantine, etc).
Here is the log. Please help, and please dumb it down, as Im not computer savvy. :)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:44 PM, on 3/20/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.go.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/ ... .0.0.9.cab?
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8102 bytes
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm
Advertisement
Register to Remove

Re: I have the tr/atraps trojan virus! Please help

Unread postby Wi[k]! » March 21st, 2009, 8:14 am

Hello and welcome to the forums.

I am Wi[k]! and I will be helping you today. As I am an undergrad my posts must be checked by a teacher so there can be a delay. HijackThis logs can take time to analyze so be patient.

In the meantime create a uninstall list.

  • Start HijackThis.
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save list...
  • Save the list to your desktop, or any other convenient place.

Post that in your next reply.

Also could you tell me what Avira keeps detecting but is unable to remove.
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 21st, 2009, 12:29 pm

Good afternoon, and thanks for your help!

When the Avira pops up it says that it detected
C:\WINDOWS\xcjtmd.jgk
Is the TR/ATRAPS.Gen Trojan.

Here is that log you requested:

32 Bit HP CIO Components Installer
Acer eConsole
Acer eMode Management
Adobe Flash Player 10 ActiveX
Agere Systems PCI Soft Modem
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 4
ArtistScope Plugin IE 42
Ask Toolbar
Athlon 64 Processor Driver
Avira AntiVir Personal - Free Antivirus
Critical Update for Windows Media Player 11 (KB959772)
Glary Utilities 2.6.1
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP Photosmart Essential 3.0
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
IrfanView (remove only)
iTunes
Java(TM) 6 Update 12
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NTI Backup NOW! 4
NTI HomeVideo-Maker
NVIDIA Drivers
PowerDVD
Realtek AC'97 Audio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Spybot - Search & Destroy
Trillian
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Service Pack 3
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby Wi[k]! » March 23rd, 2009, 4:14 pm

Hello,

Disable Spybot's TeaTimer. This is a two step process.
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the older version 1.4, Click on Exit Spybot S&D Resident
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident (shows a red/white shield).
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
--------------------------------------------------

Click on start > run > type in: appwiz.cpl and uninstall Ask Bar from the list.
--------------------------------------------------

Open Hijackthis and choose to do a system scan only. Place a check next to the following (if present):

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab

Then with all open windows closed, click Fix checked.
--------------------------------------------------

Please go to Virus Total or VirSCAN and upload C:\WINDOWS\xcjtmd.jgk for scanning. One will suffice no need to upload twice.

For Virus Total

  1. Please copy and paste C:\WINDOWS\xcjtmd.jgk in the text box next to the Browse button.
  2. Click on Send File.

For VirScan

  • Copy and paste C:\WINDOWS\xcjtmd.jgk into the text box next to the Browse... button.
  • Click on Upload.

The file will be uploaded and scanned. This will take some time. Please be patient.
When done, the page will be refreshed.
Please copy and paste the scan results of this file in your next reply.

--------------------------------------------------

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

So in your next reply:

Virustotal results
Eset Scan results
New HJT log
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 23rd, 2009, 6:07 pm

Here is the VirusTotal log:

File xcjtmd.jgk received on 03.23.2009 23:05:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 17/39 (43.59%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 46 and 66 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 4.0.0.101 2009.03.23 Trojan-Dropper.Delf!IK
AhnLab-V3 5.0.0.2 2009.03.23 Win-Trojan/Xema.variant
AntiVir 7.9.0.120 2009.03.23 TR/ATRAPS.Gen
Authentium 5.1.2.4 2009.03.23 -
Avast 4.8.1335.0 2009.03.23 Win32:Trojan-gen {Other}
AVG 8.5.0.283 2009.03.23 Generic_c.AGFQ
BitDefender 7.2 2009.03.23 -
CAT-QuickHeal 10.00 2009.03.23 Trojan.Delf.juk
ClamAV 0.94.1 2009.03.23 -
Comodo 1082 2009.03.23 -
DrWeb 4.44.0.09170 2009.03.23 -
eSafe 7.0.17.0 2009.03.23 -
eTrust-Vet 31.6.6413 2009.03.23 Win32/Vundo.CLS
F-Prot 4.4.4.56 2009.03.23 -
F-Secure 8.0.14470.0 2009.03.23 -
Fortinet 3.117.0.0 2009.03.23 -
GData 19 2009.03.23 Win32:Trojan-gen {Other}
Ikarus T3.1.1.48.0 2009.03.23 Trojan-Dropper.Delf
K7AntiVirus 7.10.679 2009.03.23 -
Kaspersky 7.0.0.125 2009.03.23 -
McAfee 5562 2009.03.23 Vundo.gen.aj
McAfee+Artemis 5562 2009.03.23 Vundo.gen.aj
McAfee-GW-Edition 6.7.6 2009.03.23 Trojan.ATRAPS.Gen
Microsoft 1.4502 2009.03.23 Trojan:Win32/Miemoes.A
NOD32 3955 2009.03.23 -
Norman 6.00.06 2009.03.23 -
nProtect 2009.1.8.0 2009.03.23 Trojan/W32.Agent.13824.CX
Panda 10.0.0.10 2009.03.23 -
PCTools 4.4.2.0 2009.03.23 -
Prevx1 V2 2009.03.23 High Risk Cloaked Malware
Rising 21.22.02.00 2009.03.23 Trojan.Win32.Nodef.faz
Sophos 4.39.0 2009.03.23 -
Sunbelt 3.2.1858.2 2009.03.23 -
Symantec 1.4.4.12 2009.03.23 -
TheHacker 6.3.3.4.288 2009.03.23 -
TrendMicro 8.700.0.1004 2009.03.23 -
VBA32 3.12.10.1 2009.03.23 Trojan.Win32.Delf.jum
ViRobot 2009.3.23.1660 2009.03.23 -
VirusBuster 4.6.5.0 2009.03.23 -
Additional information
File size: 13824 bytes
MD5...: 916937df5525a189a2560f0869769028
SHA1..: 51c689edafa6fb88bfa3dce95e73ba754837d0bf
SHA256: 5843ce01ed6d48ec7f3efb22adb14d3d7adf4c9533f8a1f3d018d2366af5a0c3
SHA512: b2be6127084d7432e4abf2ac86c22348295e93a3ba72bc1d62b27bffb4a9f857
0f0a197bc873be8338f896853caf29136321f12fd7094054d617f641da44e746
ssdeep: 192:ndL88YOBtH+Z82Jd0xif3ssKcDFB2B8SbKrBXmI33yVRNJWascKbH5G:dwDP
dy43fKSFfBX133ON8fcyG

PEiD..: -
TrID..: File type identification
Win32 Executable Generic (58.3%)
Win16/32 Executable Delphi generic (14.1%)
Generic Win/DOS Executable (13.7%)
DOS Executable Generic (13.6%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x3738
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 6 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x2758 0x2800 6.63 19433b75d6644b3d7df92f9b00dcd493
DATA 0x4000 0x160 0x200 3.38 565f7ea841d4eb0692d081c5de8a6d9b
BSS 0x5000 0xf55 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x6000 0x2c2 0x400 3.25 545d26a7844e10be88b1169b54f4bf2d
.reloc 0x7000 0x1fc 0x200 6.02 bc1392ed3d57085d8b13958d9b37e030
.rsrc 0x8000 0x180 0x200 2.69 2d6d6fc3bac0995a11aead7029b80c0e

( 2 imports )
> kernel32.dll: GetCurrentThreadId, ExitProcess, UnhandledExceptionFilter, RtlUnwind, RaiseException, TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, FreeLibrary, GetProcessHeap
> kernel32.dll: VirtualFree, VirtualAlloc, Sleep, ReadFile, LoadLibraryA, HeapFree, HeapAlloc, GetTickCount, GetProcessHeap, GetProcAddress, GetModuleFileNameA, GetFileSize, GetComputerNameA, FindAtomA, ExitProcess, CreateThread, CreateFileA, CloseHandle, AddAtomA

( 0 exports )

Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=C70A5E4F00830EAA36E400B3E89FA800E47D7435' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=C70A5E4F00830EAA36E400B3E89FA800E47D7435</a>
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 23rd, 2009, 6:14 pm

I tried running the ESET program, but after I clicked to allow the Active X control, first it said Windows wouldnt allow it to download. So I went to my settings and changed it so it would prompt me, instead of just disabling that.

So I redid it, and it prompted me. I said to install it, but then the scanner box is just showing the little red X.

what should I do?
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 23rd, 2009, 6:23 pm

While Im waiting for info about the ESET scanner thing not working for me, here is the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:23:37 PM, on 3/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.go.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/ ... .0.0.9.cab?
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8119 bytes
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby Wi[k]! » March 24th, 2009, 7:01 am

Hello,

No worries about getting Eset to work we can try something different.

Download OTMoveIt3 by Oldtimer to your Desktop.
  • Double-click on OTMoveIt3.exe to start the program.
  • Copy the text from the following code box below:
Code: Select all
:Files
C:\WINDOWS\xcjtmd.jgk
:Commands
[EmptyTemp]

  • Then return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • If not copy everything in the Results window (under the green bar) and paste it in your next reply.
  • Close OTMoveIt3.
--------------------------------------------------

Download Malwarebytes' Anti-Malware.
  • Double-click on mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware, then click finish.
  • If an update is found, downloading will commence to install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Copy and paste the contents of that file in your next reply.

Note: The log can also be found in the Logs tab of Malwarebytes.

In your next reply.

Otmoveit report
Malwarebytes log
New HJT
How's the computer running? Any problems?
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 24th, 2009, 6:19 pm

Here is the log from OTMoveit.
After I did this, and the pc rebooted, the Avira popped up a lot saying it found this virus...

Next post will have the other 2 logs...

========== FILES ==========
C:\WINDOWS\xcjtmd.jgk moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Jen\LOCALS~1\Temp\~DF4EA.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7a8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 03242009_181318

Files moved on Reboot...
File C:\DOCUME~1\Jen\LOCALS~1\Temp\~DF4EA.tmp not found!
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_7a8.dat not found!
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby coolgrljen » March 24th, 2009, 6:55 pm

Malware log:

Malwarebytes' Anti-Malware 1.34
Database version: 1893
Windows 5.1.2600 Service Pack 3

3/24/2009 6:54:02 PM
mbam-log-2009-03-24 (18-54-02).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 132649
Time elapsed: 26 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 7
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c298fb42-e3e2-11d3-adcd-0050dac24e8f} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ca0b9b71-c2af-11d3-b376-0800460222f0} (Adware.Iwon) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\iWon (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\History (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\Settings (Adware.iWon) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\xcjtmd.jgkx (Trojan.Daonol) -> Quarantined and deleted successfully.
C:\WINDOWS\xcjtmd.jgk (Trojan.Daonol) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\shellz\winspector.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\_OTMoveIt\MovedFiles\03242009_181318\WINDOWS\xcjtmd.jgk (Trojan.Daonol) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\PM3.ico (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\IWONSLOT.DLL (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\PM3.ICO (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\1.bin\UNINSTALL.INF (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\files.ini (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2474 (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2658.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2790.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A285C.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2927.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2A50.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2CEF.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2E38.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A2F03.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A306A.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A3154.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A324E.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A3377.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A35F8.bin (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A36D3.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A37CD.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A3A0F.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonSlot\Cache\053A3ABB.wav (Adware.iWon) -> Quarantined and deleted successfully.
C:\Program Files\iWon\iWonBar\History\search (Adware.iWon) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jen\Local Settings\Temporary Internet Files\pse_300_enu.exe (Trojan.Agent) -> Quarantined and deleted successfully.




Here is the HJT log.. When I ran this the pops ups continued. GRR!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:55:15 PM, on 3/24/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CSHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://abcnews.go.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n031p/EN/install/gtdownlr.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWe ... taller.CAB
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/Acti ... ontrol.cab
O16 - DPF: {EBF85371-A38F-485B-B28F-0B4C82D25937} (CUpdateCtl Object) - http://update.hpphoto.com/download/HPSWUpdate.ocx
O16 - DPF: {F127B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/ ... .0.0.9.cab?
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\system32\CSHelper.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8244 bytes
coolgrljen
Active Member
 
Posts: 7
Joined: March 20th, 2009, 11:54 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby Jackhama » March 25th, 2009, 1:10 am

Hi Again
Reading through other posts and thought you made need this :)

18 Wheels of Steel: Haulin'
ACDSee 8
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player 11
AppCore
Apple Mobile Device Support
Apple Software Update
Ashampoo WinOptimizer 2008
Athlon 64 Processor Driver
Auction Sentry
Battlefield 2(TM)
Battlefield 2: Special Forces
Battlefield 2142
Bonjour
Call of Duty
Call of Duty - United Offensive
Call of Duty(R) 2
ccCommon
CodecPatch
Company of Heroes
Component Framework
ConvertXtoDVD 3.1.3.40
Critical Update for Windows Media Player 11 (KB959772)
Crysis(R)
Deer Hunter - The 2005 Season
D-Link DSL-302G Ethernet Diagnostics and USB Driver
DVD Shrink 3.2
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESCX3900 User's Guide
GameSpy Arcade
Ghost Town
Google Earth
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HouseCall 6.6
IncrediMail Xe
IsoBuster 2.1
iTunes
J2SE Runtime Environment 5.0 Update 3
Jasc Paint Shop Pro 9
Lara Croft Tomb Raider: The Angel Of Darkness
LG ODD Auto Firmware Update
LimeWire 4.16.6
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Magic Video Converter Trial Version (English) 8.0.2.18
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
Multimedia Card Reader
Nero 7
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
Nursing Calculations V6.3.0
NVIDIA Drivers
PaltalkScene
Project Reality 0856 Core
Project Reality 0856 Levels
PunkBuster Services
QuickTime
Race Driver 3
Realtek AC'97 Audio
RegScrubXP 3.25
SCRABBLE Deluxe
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sierra Utilities
Skype 2.0
SnipeStation IE Toolbar - Free eBay Auction Sniper
SPBBC 32bit
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Star Wars Galactic Battlegrounds: Saga
Symantec KB-DocID:2003093015493306
Symantec Real Time Storage Protection Component
Tiger Woods PGA TOUR 2005
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Virtual Skipper 4 1.6.1
Wheel of Fortune Deluxe (remove only)
WinAce Archiver
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
WinZip 11.1
XP Codec Pack
Zuma Deluxe RA
Jackhama
Active Member
 
Posts: 5
Joined: March 24th, 2009, 11:16 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby Jackhama » March 25th, 2009, 1:11 am

Opps Sorry ----- I PLACED IT IN THE WRONG FORUM ---Appologies
Jackhama
Active Member
 
Posts: 5
Joined: March 24th, 2009, 11:16 pm

Re: I have the tr/atraps trojan virus! Please help

Unread postby Wi[k]! » March 25th, 2009, 6:48 am

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post
Wi[k]!
MRU Undergrad
MRU Undergrad
 
Posts: 554
Joined: August 4th, 2008, 9:49 am

Re: I have the tr/atraps trojan virus! Please help

Unread postby NonSuch » March 30th, 2009, 5:40 pm

Due to a lack of response, this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27300
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware