Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

"Trojan.Win32.Zapchast.ca" and "Surf side-kic

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

"Trojan.Win32.Zapchast.ca" and "Surf side-kic

Unread postby JoHu » October 11th, 2006, 8:44 am

Hi kind folks,

This morning my computer was exposed to numerous trojans when I visited a highly dubious website as reported by my updated and fully functional Kaspersky AV 6.0. What I did wrong was to choose "allow" when being asked what stance Kaspersky was going to take to these programs. Obviously "deny" should have been my choice. But I must say that the screen wasn't clear at all as to what I was denying or allowing, whether it was allowing the file to access my computer or whether I was allowing Kaspersky to take care of it. Nevertheless, I'm infected.

I was noticed about various trojans attacking me and KAV (Kaspersky) listed the following:

Trojan.Win32.Zapchast.ca (several listings, i.e. numerous attacks)
Trojan-Spy.Win32.Small.ez
Trojan-Proxy.Win32.Wopla.ac
Trojan-Download.Win32.CWS.aa
HTML.Agent.aq


Out of these, only Zapchast has come back after restart and virus scan. After I ran a complete virus scan with updated definitions in safe mode i rebooted and noticed my IE took forever, and by that I mean ages, to access web sites and get a response from the server they're hosted on. When I download separate files I get my normal speeds, but accessing these files in the first place and just going on the internet takes an enormous amount of time. It took me ages to just come here and register for help.

I managed to read some of the threads on here and ran full system scans with SpyBot 1.4 and AVG Antispyware 7.5 plus ran CCleaner, all in safe mode. Spybot detected something called "Surf side kick" which I promptly deleted and it hasn't returned, but the extreme lag in accessing the internet is still there and I have no idea what to do about it...

Another thing, after these attacks, whenever I try to reboot or shut down I get a status window that says: .NET-BroadcastEventWindow.1.0.5000.0.4 is still running. Do you want to wait for it to finish?" or something along those lines. I haven't seen this before and I have not recently updated my ATI driver or Catalyst Control Center that some people have attributed this problem to.

Please, please help me out here, the extreme lag is killing me!

PS: I am currently behind a router a D-link 524, could that somehow limit my access after these attacks? My Windows XP is not a genuine copy and I don't know how to bypass WGA so I'm all out of luck in that department.

HijackThis logfile included:

Logfile of HijackThis v1.99.1
Scan saved at 14:41:50, on 2006-10-11
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\iTunes\iTunesHelper.exe
C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dn.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [kav] "C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\Program\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\Program\Norman\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program\SiSoftware\SiSoftware Sandra Professional 2005.SR1\RpcSandraSrv.exe
JoHu
Active Member
 
Posts: 4
Joined: October 11th, 2006, 7:18 am
Location: Uppsala
Advertisement
Register to Remove

Unread postby JoHu » October 12th, 2006, 3:23 am

Help. Anyone?

I spent all day yesterday trying to rid myself of the problem but to apparently no avail. My internet speeds are still extremely limited, currently much slower than a 28.8k connection although I am connected to a LAN/10MB shared connection. I can't even access my router settings from this computer! My girlfriends computer which is connected via wireless to the same router is not expereincing anything similar, she's getting normal high speeds. I've updated all her protection software (AVG Free, Spybot, checked firewall settings) to stop her getting infected as well.

What I discovered last night was that I couldn't access my firewall settings and that somehow a "Internet Gateway" had been established on top of my usual network connection. After waiting ages to access its settings I discovered a function that had been named "Telephony" and was directed towards the following adress: (192.168.0.178:5060) 45823 UDP. Does this mean I've been hijacked?

I managed to remove that adress and disconnected my computer from the internet immediately after that. Then I managed to restart my firewall through a few commands in the command prompt (Looked up how to do that on another comp.). After that I rebooted into safe mode and ran updated full scans with Kaspersky, Stinger, AVG Antispyware 7.5 and Spybot 1.4. The only scan that yielded any results whatsoever was Spybot but somehow I didn't manage to save a logfile of that report... :oops: It was two entries that could be deleted.

I was told that the .NET-BroadCastWindow.1.0.5000.0.4 issue could be caused by problems in the .NET-Framework released by Microsoft so that has been uninstalled for now.

A new problem has appeared though: Every time I shut down I first get a short bluescreen that appears a short while (before I have time to read it) before it dissappears as my computer chooses to reboot(???!!!) instead of shutting down. Extremely annoying and confusing.

I hope this helps for anyone that might think this is worth a look.

Cheers!
JoHu
Active Member
 
Posts: 4
Joined: October 11th, 2006, 7:18 am
Location: Uppsala

Unread postby JoHu » October 12th, 2006, 3:56 am

I'm including the initial findings by Kaspersky when I was infected. These have all been deleted now and further checks with Kaspersky yields no results.

detected: Trojan program Trojan-Downloader.HTML.Agent.aq
deleted: Trojan program Trojan-Downloader.HTML.Agent.aq File: C:\Documents and Settings\Administratör\Lokala inställningar\Temporary Internet Files\Content.IE5\K9YZ0PQF\trf[1].htm
detected: Trojan program Trojan-Downloader.Win32.Agent.acd
URL: hxxp://traffmoney.biz/dl/xpladv616.wmf
detected: malware Constructor.Perl.Msdds.b
URL: hxxp://traff5all.biz/adv/177/new.php
detected: Trojan program Trojan-Downloader.JS.Agent.ab
URL: hxxp://1-extreme.biz/traff.php?adv=27
detected: malware Exploit.JS.CVE-2005-1790.j
URL: hxxp://traffmoney.biz/dl/fillmemadv616.htm
detected: Trojan program Trojan-Downloader.Java.OpenStream.c
URL: hxxp://traffmoney.biz/dl/loaderadv616.jar\Matrix.class
detected: Trojan program Trojan-Downloader.Java.OpenConnection.aj URL: hxxp://traffmoney.biz/dl/java.jar\GetAccess.class
detected: Trojan program Trojan-Downloader.Win32.Agent.alr
URL:hxxp://locator1.cdn.imagesrvr.com/sites/errorsafe.com/www/download/2006/cabs/ErrorSafeFreeInstall_se.cab\UERSL_0001_N86M0607NetInstaller.exe
detected: Trojan program Trojan.Win32.Zapchast.ca
URL: hxxp://85.255.115.222/e410.gif
detected: Trojan program Trojan-Spy.Win32.Small.ez
URL: hxxp://85.255.115.222/e407.gif/UPX
detected: Trojan program Trojan-Proxy.Win32.Wopla.ac
URL: hxxp://85.255.115.222/e431.gif
deleted: Trojan program Trojan-Downloader.Win32.CWS.aa
File: C:\WINDOWS\system32\sksaaaaa.exe/PE_Patch/MEW
deleted: Trojan program Trojan.Win32.Zapchast.ca
File: C:\WINDOWS\system32\dqseertw.exe
deleted: Trojan program Trojan.Win32.Zapchast.ca
File: C:\WINDOWS\system32\mfheulep.exe
deleted: Trojan program Trojan-Spy.Win32.Small.ez
File: C:\WINDOWS\system32\mppkcaaa.exe/UPX
deleted: Trojan program Trojan-Proxy.Win32.Wopla.ac
File: C:\WINDOWS\system32\awiqqlpl.exe
deleted: Trojan program Trojan.Win32.Zapchast.ca
File: C:\WINDOWS\system32\jkfrhaaa.exe
deleted: Trojan program Trojan.Win32.Zapchast.ca
File: C:\WINDOWS\system32\sknvebll.exe
deleted: Trojan program Trojan-Spy.Win32.Small.ez
File: C:\WINDOWS\system32\gyvtskao.exe/UPX
deleted: Trojan program Trojan.Win32.Zapchast.ca
File: C:\WINDOWS\system32\mgjnsjvn.exe
JoHu
Active Member
 
Posts: 4
Joined: October 11th, 2006, 7:18 am
Location: Uppsala

Unread postby JoHu » October 12th, 2006, 5:56 am

Ok, I've confirmed that it's Winlogon.exe that is somehow causing the bluescreen at shutdown. I've searched my comp and I can find the file in two locations: in the System32 folder and in a Servicepack folder directly below the Windows dir.

I've managed to update Windows with all the latest security updates after which I performed further scans that againg revealed no problems.

The blue screen says "A critical error has occured" And a long code after which it specifies Winlogon.exe as the file that is causing the error. This surely is the explanation for my problems accessing the internet?

If someone can just please assist me in working out a solution I would be most grateful.
JoHu
Active Member
 
Posts: 4
Joined: October 11th, 2006, 7:18 am
Location: Uppsala

Unread postby ChrisRLG » October 12th, 2006, 7:25 am

My Windows XP is not a genuine copy and I don't know how to bypass WGA so I'm all out of luck in that department.


http://www.malwareremoval.com/forum/viewtopic.php?t=550

Please come back when you have a legal copy of windows.

Unfortunately when you have an illegal copy you ARE open to such infections.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 332 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware