• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
asiina

Downloader.Small.5.Y

7 posts in this topic

I keep getting Downloader.Small.5.Y and Downloader.Small.4.BQ trojan messages from AVG as well as sometimes when I open IE I get a "Could be infected startpage" trojan message along with a different startpage.

 

I've read the FAQ and run Ad-aware, AVG and Spybot but they never find it. All other reports I find on this don't have all of these trojan messages coming up, so they never help.

 

This is really starting to get annoying.

 

 

 

Logfile of HijackThis v1.98.0

Scan saved at 4:37:43 PM, on 30/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\mHotkey.exe

C:\WINDOWS\Dit.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE

C:\Program Files\D-Tools\daemon.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\WINDOWS\System32\ctfmon.exe

C:\WINDOWS\DitExp.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\slserv.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\notepad.exe

C:\if I fuck up\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ca/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.platypus.adsl.dk/scorch/800x600.html"); (C:\Documents and Settings\Meghan\Application Data\Mozilla\Profiles\default\2aytnokf.slt\prefs.js)

N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Meghan\Application Data\Mozilla\Profiles\default\2aytnokf.slt\prefs.js)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [CHotkey] mHotkey.exe

O4 - HKLM\..\Run: [Dit] Dit.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"

O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa\kpp.exe" "C:\Program Files\Kazaa\Kazaa.kpp" /SYSTRAY

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Kazaa\My Shared Folder\Biko.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - Startup: Semagic.lnk = C:\Program Files\Semagic\LiveJournalU.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O9 - Extra button: AOL Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll

O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com

O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab

O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB

O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{DAA24432-FB8E-45F1-B0F9-47FF43A2CA24}: NameServer = 192.168.0.1

Share this post


Link to post
Share on other sites

There is not much wrong with your log. Certainly no trojans or spyware. Just two items of cleanup. After removing these with HiJackThis, I sugget you run an Online AV scan from the links I will provide.

 

Check the following items in HiJackThis:

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

 

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)

 

Close all open windows except HiJackThis and press 'Fix Checked'.

 

 

Please go here and do an AV scan at one (preferably two) of the following:

Panda's Active Scan

http://www.pandasoftware.com/activescan/co...n_principal.htm

 

Trend Micro (PC-cillin) - Free on-line Scan

http://housecall.antivirus.com

 

RAV Antivirus Online Scan

http://www.ravantivirus.com/scan/

 

eTrust AV web scanner (Computer Associates)

http://www3.ca.com/virusinfo/virusscan.aspx

Share this post


Link to post
Share on other sites

I ran all of the virus scans twice. Housecall never found anything, but the other 3 each found 3 items both times and I followed all the directions to get rid of the 3 things found each time.

 

However, I'm still getting trojan warnings from AVG about these two downloader trojans.

 

I've recently noticed that they only show up within an hour of my computer being idle, but never when I'm using it.

 

The "Could be infected startpage" problem seems to have been corrected at some point though, so it's just the downloader trojans.

Edited by asiina

Share this post


Link to post
Share on other sites

When the messages came up this morning it was only for Downloader.Small.4.BQ. This is where it said it was, but I'm not sure how to get there to delete it:

 

C:\system volume information\_restore{3c03EDBA-f15f-4629-BF83-7D27IE3A5Be2}\RP1\A00000006.exe

Share this post


Link to post
Share on other sites

That is in your System Restore area and is not "cleanable". You will need to reset restore.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(Windows XP)

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

 

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/default.aspx?...kb;en-us;310405

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0