Avast WEBforum

Other => Viruses and worms => Topic started by: philly12 on January 09, 2008, 11:31:26 PM

Title: Please help me get rid of BHO's and possible trojan(s)
Post by: philly12 on January 09, 2008, 11:31:26 PM
Last night i wanted to download an avi player, so i googled for an avi player and found one on download.com (or cnet).  The program i found was called AviMoviePlayer (*WARNING, DO NOT DOWNLOAD THIS PROGRAM*) and it was even rated by download.com to have 3/5 stars.  I thought download.com scanned all its files before posting them for download but apparently not.  I downloaded the program fine (no avast! alarms from the realtime shield).  To be extra safe, I even right clicked on the AviMoviePlayer 's install file and scanned it with avast! and SAS Pro and both checked out fine at this time.  Well sure enough, a couple seconds after i installed the program SAS pro came up with warnings about BHOs and suggested a scan.  I scanned and found 15 infected registry files and 1 infected file.  I then scanned with A-squared and quarantined a file named trace.file.Ezula  .

I have done a full system scan with avast! (with latest definitions) which found nothing.  Adaware and Spywareterminator also found nothing.  I am going to continue to scan with my other security software, but I wanted to post a HJT report to help remove some of the infections (and some of my HJT file even looks suspicious to an amature like myself).  I cannot run combofix because i hear its not compatible with Vista. CAN SOMEONE PLEASE CHECK MY HJT REPORT?????

I now know that i can not trust download.com to be completely safe.  I also find it strange not to have gotten any warning by right clicking and scanning the install file with both avast! and SAS.  Please spread the word that AviMoviePlayer is very dangerous.  I went back to download.com and looked at the user reviews for this program and they almost all said that it downloaded adware to their computer (and download.com still gave it 3 out of 5 stars??).  I am going to go to mcafee siteadvisor and put a warning out for AviMoviePlayer's main site right away.   In the mean time, can you please check my HJT report and give me any advice possible.  I would appreciate it.

My comp is a fully patched windows Vista (i had just installed some new updates earlier that night) home premium 32 bit. 
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: polonus on January 10, 2008, 12:42:24 AM
Hi philly12,

I cannot detect anything fishy in your hijackthis logfile,
but I like to have a closer look for what your Vista box starts up.

Can you also make a StartDreck scan and attach a logfile as an attachment.
Niksoft StartDreck.
StartDreck from Niksoft is a start-up editor for your Microsoft Windows computer.
It is a useful tool for removing spyware.

Requirements

The tool will run on any Microsoft Windows operating system.

Approximately 400KB of disk space is required for the tool.
Download

This site is an official mirror of StartDreck.

Note: Please send all contact regarding this tool directly to the author, Niksoft.

Latest Version: 2.1.7
Download Size: 406.585 Bytes
MD5: cf15b20807e52446503ab2742e5acf55
Download from here: http://ben.cheetham.me.uk/download/niksoft/startdreck217.zip

It gives a rather long scanfile, save it as an attachment.txt

polonus
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: philly12 on January 10, 2008, 06:48:48 PM
I have done what you said and have included a StartDreck log. 

I am curious to know what the following are in my HJT log:
O2 - BHO: (no name) - AutorunsDisabled - (no file)

C:\Windows\Explorer.EXE        (shouldn't the .exe be lowercase???)
O1 - Hosts: ::1 localhost        (what is this?)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:              (and theres nothing after it)
O20 - AppInit_DLLs:               (and theres nothing after it)

I am also curious to what the following is/does.  It was shown in red when i ran icesword, is it harmful?
\??\C:\Windows\system32\drivers\sp_rsdrv2.sys


Any help is appreciated and I have also added another HJT report incase anything else got infected when i was online downloading StartDeck.  If I did something wrong with the StartDeck report please let me know.


Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: oldman on January 10, 2008, 07:17:44 PM


O2 - BHO: (no name) - AutorunsDisabled - (no file)

usually means something was disabled with Autoruns

C:\Windows\Explorer.EXE        (shouldn't the .exe be lowercase???)

I've seen both, vista for sure cap. letters

O1 - Hosts: ::1 localhost        (what is this?)
your host file

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

MS office related


O13 - Gopher Prefix:              (and theres nothing after it)

legit vista entry

O20 - AppInit_DLLs:               (and theres nothing after it)

same thing

I am also curious to what the following is/does.  It was shown in red when i ran icesword, is it harmful?
\??\C:\Windows\system32\drivers\sp_rsdrv2.sys

Spyware Terminator

http://fbmsoftware.com/spyware-net/process/sp_rsdrv2_sys/3357/
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: polonus on January 10, 2008, 08:20:36 PM
Hi philly12,

If you are curious about something installed, visit here for info: e.g.

http://www.threatexpert.com/report.aspx?uid=33cde496-294c-490a-a947-5129d57334df

Considering your hjt log:
Fix 02 - BHO: (no name) - AutorunsDisabled - (no file)  This entry is no longer functional or needed,

To do:
Download free rootkit detective here: http://download.nai.com/products/mcafee-avert/McafeeRootkitDetective.zip

Make a folder for it by the name McafeeRootkit Detective in C: Program Files, and
unzip it there, and the run it,

Scan and see whether you have hidden files or hooks,

polonus
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: philly12 on January 11, 2008, 06:12:51 AM
McafeeRootkit Detective is not supported for Vista and will not run because of it (it gives an error message and says that the current version does not support vista and advises me to check the site it is available at to download the latest version, which I did and got the same message).  Icesword detects rootkits really well, but would you like me to try another rootkit detector, or another security program??
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: galooma on January 11, 2008, 06:39:12 AM
If you still need a free and safe media player that is capable of playing almost anything you cant go past VLC
http://www.videolan.org/

Good luck
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: Lisandro on January 11, 2008, 01:06:54 PM
would you like me to try another rootkit detector
For Vista, I suggest AVG (http://www.grisoft.com/doc/download-free-anti-rootkit/us/crp/0) or Trend Micro RootkitBuster (http://www.trendmicro.com/download/rbuster.asp).
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: polonus on January 11, 2008, 04:02:23 PM
Hi philly12,

This free rootkit scanner sure works on Vista:
http://www.softpedia.com/get/Antivirus/F-Secure-BlackLight-Rootkit-Detection.shtml

polonus
Title: Re: Please help me get rid of BHO's and possible trojan(s)
Post by: philly12 on January 12, 2008, 01:17:13 AM
Okay, I have scanned my comp with all three of the recommended antirootkits and none of them reported any hidden files or problems.  Is there anything else I should scan for, or any other security program I should use? (I'm still going to scan it again with SAS, spywareterminator, A-squared, spyware doctor starter edition, norton security scan, ad-aware, clamwin, and another avast scan.  Yes i only run one of the antispyware realtime scanners, spywareterminator, and I only run one antivirus realtime scanner, avast).

Thank you cloussau for the link to a safe avi player, and thank you avast! team for being so quick and helpful.

Let me know if I should do anything else to make sure my infection is completely gone.  I already know about *purging* my system restore so you don't have to remind me about that.  If everything is done, then I want to thank you guys for helping me and I appreciate how quick and helpful the avast! forum workers are.