Author Topic: Trojan-gen and others in Adobe reader 9  (Read 29873 times)

0 Members and 1 Guest are viewing this topic.

mika-nikola

  • Guest
Trojan-gen and others in Adobe reader 9
« on: September 05, 2008, 02:59:02 PM »
Hello!

Few days ago I bot a new computer because old one die.With new computer I get Windows XP Home SP2, but it didn't have some programs on so I must to download them from Internet. First was Avast! home,because I had that on my old computer and it was good antivirus. :)Yesterday I was downloading Adobe reader 9 from official site of Adobe adobe.com and with that i get Adobe ARI installer .exe  with Win32: Trojan-gen.The alarm went on because scan (for internet) is always on. I move that virus in to the chest and I install Adobe with "no problem", if I can say so  >:( ::).

Original file:H:\Documents and Settings\User\Local Settings\Aplication Data\Adobe\Reader9...
Size file: 6848789
Data last change: 12.6.2008 10:10:02 (you must excuse me because english is not my first language and Avast is on my home language so same translation is not original like Avast on english)
Transfer time:  4.09.2008 12:58:11
Category: Infected files
Virus description: Win32: Trojan-gen {Other}
File ID: 4

After that I was put on (VRDB) Generator  and after that I put computer to complete scan (when you ask Avast to restart and  scan  whole computer in beginning when you put computer on and whole screen is in blue color and only withe letters are on who are changing very fast,I hope you understand ;D ) and after that scan it show me that he don't have any files damaged and that he scan 11684 files.

After that I was downloading Adobe PhotoShop CS3 and it came up another alarm that he find virus and I put that in chest with no problem.

Original file name: PhotoShop CS3 Extended Keygent + Acti...
Original file: J:\Adobe Photoshop CS3
Size file: 174080
Data last change: 24.07.2008  14:11:36
Transfer time: 5.09.2008  12:01:24
Category: Infected files
Virus description: Win32:Horst-AAE {Trj}
File ID: 8

I also need Adobe Flash Player that I can watch  movie on Youtube so I download that.First I had download Adobe ActivX Player 9 but it didin't work with that. I had that on my old computer.After that I tray to uninstall that with .exe file witch I found on Adobe official site adobe.com and I also get a virus and alert came on and I put him in chest wtih no problem.

Original file name: unp174322147.tmp
Original file: H:\WINDOWS\TEMP\_avast4_
Size file: 72351
Data last change: 4.09.2008  13:03:12
Transfer time: 4.09.2008  15:03:12
Category: Infected files
Virus description: Win32:Dropper-BDV {Trj}
Could be transfer back: No
File ID: 5



Original file name: unp84679442.tmp
Original file: H:\WINDOWS\TEMP\_avast4_
Size file: 106527
Data last change: 4.09.2008  19:18:03
Transfer time: 4.09.2008  21:18:04
Category: Infected files
Virus description: Win32:Dropper-BDV {Trj}
Could be transfer back: No
File ID: 6

Today I also restart computer I put him on full scan  and he show again no infected files and no damadeg files and his complete scan show 11684 files.After that I had download  Avast! Virus Cleaner Tool-version 1.0.211 Unicode and his results of scan was this ;

5.9.2008, 13:10:03
Memory scanning started...
No virus body found in memory.
Memory scanning finished (3,2s).
----------
Files scanning started...
H:\Documents and Settings\Korisnik2\Application Data\Mozilla\Firefox\Profiles\pxulq3f3.default\places.sqlite-journal... file could not be scanned!
H:\Documents and Settings\Korisnik2\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal... file could not be scanned!
H:\Documents and Settings\Korisnik2\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal... file could not be scanned!
H:\WINDOWS\system32\drivers\sptd.sys... file could not be scanned!
No virus body found.
Files scanning finished  (34868 files, 0 infected, 229,3s).
Drives scanned: H: I:
----------
5.9.2008, 13:17:34
Memory scanning started...
No virus body found in memory.
Memory scanning finished (2,0s).
----------
Files scanning started...
H:\Documents and Settings\Korisnik2\Application Data\Mozilla\Firefox\Profiles\pxulq3f3.default\places.sqlite-journal... file could not be scanned!
H:\Documents and Settings\Korisnik2\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal... file could not be scanned!
H:\Documents and Settings\Korisnik2\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal... file could not be scanned!
H:\Documents and Settings\Korisnik2\Local Settings\Temp\~DF9CF.tmp... file could not be scanned!
H:\WINDOWS\system32\drivers\sptd.sys... file could not be scanned!
No virus body found.
Files scanning finished  (34880 files, 0 infected, 163,6s).
Drives scanned: H: I:
----------
My question is  how can I completely remove this viruses from chest and from computer for good?
Should I put something else  with Avast! antivirus to protect my computer from viruses?
Do I need to scan my computer with some other program to see if everything is OK?

Thank you very much on future hepl !

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Trojan-gen and others in Adobe reader 9
« Reply #1 on: September 05, 2008, 04:18:31 PM »
These false positives were corrected (supposedly) in last virus database... can you update?
The best things in life are free.

mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #2 on: September 05, 2008, 05:34:58 PM »
I had scan my computer with on line Kaspersky scanner and he sad that ; No malware hass been detected on Critical Areas, My Computer, Folder, File.
I also use HijackThis :

Logfile of HijackThis v1.99.1
Scan saved at 17:27:38, on 5.9.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
H:\Program Files\Alwil Software\Avast4\ashServ.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\Explorer.EXE
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\RTHDCPL.EXE
H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
H:\Program Files\Google\Gmail Notifier\gnotify.exe
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\DAEMON Tools\daemon.exe
H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE
H:\Program Files\Messenger\msmsgs.exe
H:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
H:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
H:\WINDOWS\system32\nvsvc32.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\Alwil Software\Avast4\ashChest.exe
H:\Program Files\Alwil Software\Avast4\ashLogV.exe
H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
H:\Program Files\Alwil Software\Avast4\ashWebSv.exe
H:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mozilla.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.hgspot.hr
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - H:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - H:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - H:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] H:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] H:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] H:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "H:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "H:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "H:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "H:\WINDOWS\TEMP\E_SA8.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [MSMSGS] "H:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: I&zvoz u Microsoft Excel - res://H:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Istraživanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=www.hgspot.hr
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - H:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - H:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - H:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - H:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - H:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - H:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - H:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe



There is a slight problem. Please can you explain me correctly what should I do, because I not so good with computers. 

wyrmrider

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #3 on: September 05, 2008, 05:49:54 PM »
Do you have avast turned off?
you need to update your definations in any case
No firewall?
Run secunia software software inspector and get your apps up to date

your version of HJT is out of date


mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #4 on: September 05, 2008, 05:53:03 PM »
My avast is always on when I'm on internet with scan on.
Yesterday avast had his update.Today not yet.
I have firewall turn on on windows and update to.

mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #5 on: September 05, 2008, 06:46:11 PM »
I have make update to avast 5 min ago and he says that he have all ready latest update.
 
I run Secunia software inspector and he says that my windows ware out of date and I made update for them  and he says that my Flash Player Adobe is also out of date and I made update for that also.

Now when i run Secunia software inspector he says that my Java Applet is having problem loading on my browser ( that is Mozilla Firefox 3.0.1)And Secunia software don't want to any more to scan my apps. Just stands and do nothing.
« Last Edit: September 05, 2008, 06:51:44 PM by mika-nikola »

wyrmrider

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #6 on: September 05, 2008, 06:54:24 PM »
look in add remove programs and in your file where java downloads/ apps are and see if you have one or more old versions
if so run javara to remove all old versions- which are still vulnerable- the reinstall the latest java
or javara look for you
over the years java ha been downloaded to/ installed in/ several folders under several naming schemes

we recommend NOT the XP firewall
which browser?

mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #7 on: September 05, 2008, 07:10:20 PM »
I have the latest Java installed two days ago. That is   Java Platform Standard Edition &  Version &  Update  7 ( build 1.6.0_07_b06)  Copyright 2008 SunMicrosystem,Inc  from official site Java.com.

And I have only one Java installed this latest version on my list ad/remove program. I have check now.

Witch firewall is good to use?

My browser is Mozilla Firefox 3.0.1 ( if I'm wrong please tell me,because I'm not exactly shore what is browser)

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Trojan-gen and others in Adobe reader 9
« Reply #8 on: September 05, 2008, 07:54:33 PM »
My avast is always on when I'm on internet with scan on.
Do you turn avast off when you're not on-line?

Yesterday avast had his update.Today not yet.
So, update it and the false positive could be gone.
The best things in life are free.

wyrmrider

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #9 on: September 05, 2008, 08:00:06 PM »
looks as if you are on the right track
answer tech's questions

Comodo and PC tools are recommended
expect a learning curve as you teach them what they man and may not allow
lot's of threads in this forum if you want to read up

I'd recommend you install a Hosts file
MVPS
or
HPHOST

The "ON ACCESS" scanner needs to be on with the Avast protection scheme
many files are encrypted or packed where they cannot be scanned with an "on demand" scanner
so bad things only show up when you access them
also with the possibility of infected CD's and USB sticks the internet is not the only source of infection
-floppies-?

mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #10 on: September 05, 2008, 08:12:42 PM »
No I don't turn off avast when I'm not on internet he is running all the time only scan is on only for internet.

I have update avast today;

Informacije o trenutnoj nadogradnji:
Ukupno vrijeme: 42 s

- Program: Već je najnoviji
  (trenutna verzija 4.8.1229)
- Vps: Već je najnoviji
  (trenutna verzija 080905-0)

Poslužitelj: download502.avast.com (75.126.53.169)
Preuzete datoteke: 4 (1,03 KB)
Vrijeme preuzimanja: 27 s


nformacije o trenutnoj nadogradnji:
Ukupno vrijeme: 15 s

- Vps: Već je najnoviji
  (trenutna verzija 080905-0)

Poslužitelj: download939.avast.com (74.54.25.66)
Preuzete datoteke: 2 (0,02 KB)
Vrijeme preuzimanja: 6 s
 

I'm sorry that this is on my home language (that's  croatian)  but you can see he all ready has the latest update  (trenutna verzija 4.8.1229) and    (trenutna verzija 080905-0).

I'm installing now firewall protection  from PC Tools Firewall.


PC Tools Firewall warning me that I need to REEBOOT my computer!

HELP ME!!!  I don't know  how to do that. There is one problem on my computer  Windows is on croatian language and when someone right on english what to do then I have problem with that. Can someone put some pictures with description how to do that or full size description???  

Please help me!!!!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: Trojan-gen and others in Adobe reader 9
« Reply #11 on: September 05, 2008, 08:19:45 PM »
No I don't turn off avast when I'm not on internet he is running all the time only scan is on only for internet.
Ok.

(trenutna verzija 080905-0).
Does avast still detect Acrobat Reader 9.0 as being infected?

I'm installing now firewall protection  from PC Tools Firewall.
PC Tools Firewall warning me that I need to REEBOOT my computer!
What's the matter, just restart the computer to finish the installation...
The best things in life are free.

wyrmrider

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #12 on: September 05, 2008, 08:22:14 PM »
To rebot your computer is Shutdown and Restart
click on Start lower left side of screen
click shutdown
etc

My Sister just bought a place in Croatia
Your English is much better than my Croatian :)

mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #13 on: September 05, 2008, 08:43:46 PM »
 Thank you very much to every one who has so much patient for me and my problems.
I learn every day something new with my computer, like this thing that reeboot   mean restart computer.

I have more question about this here

I'd recommend you install a Hosts file
MVPS
or
HPHOST




Which one of this things I need to download --------


Available Download Mirrors
MD5: 7E177B1EE419AE83C6F76E494D29391A    Primary

#1 | #2
#3 | #4
hpHosts-Setup-Win32.exe (522K)    The HOSTS File installer for Windows
Updated: Tue 26th August 2008

MD5: B1713F8E167F738FF55E87632826EE5D    Primary

#1 | #2
#3 | #4
hosts.txt (1.53MB)    The HOSTS File for Windows/Linux (please only use this if you experience problems with the above 2 packages).
Updated: Tue 26th August 2008

MD5: 1B5285D4CA465BC7A6013B7E702B4979    #1 | #2
#3 | #4
mac_hosts.zip (323K)    The HOSTS File for the MAC OS
Updated: Tue 26th August 2008

MD5: EE1C464BB6CDF11258F14AF065E18759    Primary

#1 | #2
#3 | #4
Additional Downloads
hosts-partial.asp    This file contains a list of site's that have been added AFTER the last full release of hpHosts. This should ONLY be downloaded by those currently using hpHosts, and requires manual merging.    HTML
No HTML
Yahoo_Servers.zip (2K)    Optional addition containing the Yahoo servers for those that wish to block them
Updated: Thu 4th October 2007

MD5: CE251DB0AD67C0A49155DF66614F95B1    Download
Documents
readme.txt    HOSTS Installation, Support, etc.    View
PGP Keys
hpsig.zip    hpGuru's PGP Public Key Block    Download
mfmcsig.zip    MysteryFCM's PGP Public Key Block    Download
Misc Tools
WinDef_Hosts.zip    Restore Windows default HOSTS file

MD5: 38ADFA9FA4E2C330B946CD18982AAE6D    Download
EnDisDNS.zip    Batch files to enable/disable Windows DNS Client

MD5: FAF55EE37EB431DDB49590EB120549E4    Download
appendhosts.zip    Updated! Append to Hosts VBS Script v1.7 for appending your entries to the HOSTS File (Don't forget to submit the bad sites you find for inclusion in the next update here).
This script is UNSUPPORTED.

MD5: 68aedda6c86b983c87a9554f4f67b008    Download
hostsdiag.zip    hpGuru's HOSTS Diagnostic Utility.

MD5: 5D1251D312329B0EB3E0E55A58B39EF5    Download
hbypass.zip    Hosts Bypass is a Proxomitron filter which allows users to visit sites blocked by their hosts file without the need to remove them after each and every hosts update.

MD5: eabf46f7e9097603ea5e3c020516da29    Download
dcsmd5.zip    DiamondCS MD5 utility for verifying MD5 hash    Download
eDexter    A tiny HTTP server which greatly improves Ad blocking via the HOST



About if Avast  still detected Acrobat Reader 9 as being infected?

No he is not.  First time when alarm went on because of Adobe Reader 9 I put that virus in chest and he is still there. That also stands for other viruses that I mention in my first post.

Can I remove these viruses from  the chest and my computer for good?
« Last Edit: September 05, 2008, 08:46:36 PM by mika-nikola »

mika-nikola

  • Guest
Re: Trojan-gen and others in Adobe reader 9
« Reply #14 on: September 05, 2008, 09:59:06 PM »
I have install also   from PC Tools for malware.

Is it good? Or is better something else?



My Sister just bought a place in Croatia
Your English is much better than my Croatian :)


You speak Croatian?!  That's great !!!! :D It is  heavy  language to learn especially the grammar.  I have finished my school 10 years a go and I am born here but still our grammar is hard.
I have learn English trough the Cartoon Network Chanel   ;D and many movies on English with Croatian subtitle  and also in a school. OK my grammar is not perfect but it's understandable and I always have dictionary near my hand. ;D

Is someone from your family  from Croatia?

I'm glad for your sister that she bot a place in Croatia it's nice country but be ware of our birocraty ( people who works in offices for our government  like in police station or doctors and others) we still have a lots problem coroption ( people who take money  and they shouldn't) .

I hope you like Croatia?