sd not removing Trojan-Downloader.Small.CML

tinman9898 · #1 08-12-2007, 02:26 PM

SD detected this on my pc but when I tried to remove it the fix button greys out but the progress bar remains blank and SD just seems to sit there doing nothing. SD hasn't frozen as I can shut it down or do other things with it, it just doesn't seem to want to remove the trojan...

advice please....

tom.tdw · #2 08-12-2007, 02:46 PM

hi
could you try scanning again in safemode with networking

Quote:

Originally Posted by tinman9898

SD detected this on my pc but when I tried to remove it the fix button greys out but the progress bar remains blank and SD just seems to sit there doing nothing. SD hasn't frozen as I can shut it down or do other things with it, it just doesn't seem to want to remove the trojan...

advice please....

tinman9898 · #3 08-12-2007, 03:49 PM

clicked fix and progress bar got about two blocks along and then the screen went black and my pc rebooted....

more advice please...

mjq424 · #4 08-12-2007, 03:58 PM

Hi
Can you post the scan reports on the forum?
Also, please download Hijack This

Doubleclick HJTInstall.exeto install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

tinman9898 · #5 08-12-2007, 05:10 PM

couldn't find a log for the scan results from SD....but here is hijack this log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:04:57, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\program files\a-squared Free\a2service.exe
D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
D:\program files\avgantispyware\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\AVGANT~3\avgamsvr.exe
D:\PROGRA~1\AVGANT~3\avgupsvc.exe
D:\PROGRA~1\AVGANT~3\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
D:\program files\comodomalwarecleaner\BOCORE.exe
C:\Program Files\Bonjour\mDNSResponder.exe
D:\program files\Comodo\Firewall\cmdagent.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
D:\program files\Spyware Doctor\svcntaux.exe
D:\program files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\system32\svchost.exe
D:\program files\uphcs\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
D:\program files\Spyware Doctor\SDTrayApp.exe
D:\program files\omnipage\OpwareSE2.exe
D:\program files\Comodo\Firewall\CPF.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
D:\program files\speedtouch\Dragdiag.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
D:\PROGRA~1\AVGANT~3\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\program files\Last.fm\LastFMHelper.exe
D:\program files\Secretmaker\SECUREMAKER\SecureMaker.exe
D:\program files\SpywareGuard\sgmain.exe
D:\program files\SpywareGuard\sgbhp.exe
D:\program files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Octoshape Streaming Services\tinman\OctoshapeClient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02DCA195-602B-4B1F-83FF-381B7E804BDB} - C:\WINDOWS\system32\HDBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\program files\adobeacrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - D:\program files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeHelper Class - {A491D208-B353-490F-B81A-A8A3DC97042D} - C:\WINDOWS\system32\smiehlp.dll
O2 - BHO: (no name) - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)
O3 - Toolbar: ReadingBar - {5420be57-2ed4-4f4f-9eb9-381cec2290e7} - D:\program files\readingbar\ReadBar\ReadBar.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [OpwareSE2] "D:\program files\omnipage\OpwareSE2.exe"
O4 - HKLM\..\Run: [Comodo Firewall] "D:\program files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "D:\program files\speedtouch\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\AVGANT~3\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "D:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\program files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [SDTray] D:\program files\Spyware Doctor\SDTrayApp.exe
O4 - HKLM\..\RunOnce: [MRUBlaster] D:\program files\MRU-Blaster\indexcleaner.exe -COOKIES
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\tinman\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] D:\PROGRA~1\AVGANT~3\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: MRU-Blaster Silent Clean.lnk = D:\program files\MRU-Blaster\mrublaster.exe
O4 - Startup: SpywareGuard.lnk = D:\program files\SpywareGuard\sgmain.exe
O4 - Global Startup: Last.fm Helper.lnk = D:\program files\Last.fm\LastFMHelper.exe
O4 - Global Startup: SECUREMAKER.lnk = D:\program files\Secretmaker\SECUREMAKER\SecureMaker.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - D:\program files\HiDownload\HiDownload\hidownload.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1184179102926
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1184178448294
O16 - DPF: {79E0C1C0-316D-11D5-A72A-006097BFA1AC} (EPSON Web Printer-SelfTest Control Class) - http://support.epson-europe.com/self...g/ESTPTest.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3454D00-DB38-4012-BE19-E03F1C2314D4}: NameServer = 205.188.146.145
O20 - Winlogon Notify: caabcafbfc - C:\WINDOWS\system32\caabcafbfc.dll
O20 - Winlogon Notify: SASWinLogon - D:\ProgramFiles\superantispyware\SASWINLO.dll
O20 - Winlogon Notify: winsfd32 - C:\WINDOWS\SYSTEM32\winsfd32.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - D:\program files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\program files\avgantispyware\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGANT~3\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGANT~3\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\AVGANT~3\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BOCore - COMODO - D:\program files\comodomalwarecleaner\BOCORE.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\program files\Comodo\Firewall\cmdagent.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NBService - Nero AG - D:\program files\nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - D:\program files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - D:\program files\Spyware Doctor\swdsvc.exe

--
End of file - 11844 bytes

tom.tdw · #6 08-12-2007, 05:56 PM

hi
these lines seem to be infected:

C:\WINDOWS\SYSTEM32\winsfd32.dll
C:\WINDOWS\system32\caabcafbfc.dll

i can't find much info but i think they are smitfraud/purityscan related

mjq424 · #7 08-12-2007, 06:34 PM

Hi
Download and Run ComboFix

Download this file from either of the two below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

tinman9898 · #8 08-12-2007, 07:15 PM

forum won't let me post the log it says its too long...

tom.tdw · #9 08-12-2007, 07:41 PM

Quote:

Originally Posted by tinman9898

forum won't let me post the log it says its too long...

split it between several posts

Support · #10 08-12-2007, 08:15 PM

Hey guys........

Please note that Spyware Doctor is able to remove Trojan-Downloader.Small.CML.

Details of the selected infection are shown below. This infection can be detected and cleaned using Spyware Doctor.

Name: Trojan-Downloader.Small.CML
Risk Level:
Description: Trojan.Downloader.Small.CML will attempt to connect to a pre-determined website and download additional malware. It will also download a list of commands to execute.
Type: Trojan
Also known as: Troj/BckDr-DKG [Sophos] Trojan.Win32.Agent.qt [Kaspersky] Back
Removal: This infection can be removed using Spyware Doctor.

Tinman please can you make sure that you have th latest version of Spyware Doctor with updated signatures.

Cheers