PDA

View Full Version : Trojan Downloader causing 100% CPU Usage?


Padgoi
2008-01-06, 09:22
In a nutshell, my computer is running at 100% usage and it looks as if Explorer.exe is the culprit.

Ok, so I posted a HiJackThis log over in the DellCommunity forums and it came back fairly clean. So the guy helping me asked me to scan my computer using ComboFix, which I did, and that log also came back clean. He then asked me to scan my computer using the Kaspersky Online Scanner and post the log, which I did over there, but I was curious if anyone here could help me in the process as well. This is the second time I ran the Kaspersky Scanner, after I ran it the first time, I used the VundoFix program to delete the infected files, but after scanning again, the viruses are still there. Can anyone PLEASE help me get rid of these viruses and stop my computer from running at 100% usage all the time? Thanks in advance. Here is the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 07, 2008 2:45:48 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/01/2008
Kaspersky Anti-Virus database records: 503005
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 66770
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 2
Duration of the scan process: 00:58:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\SupportSoft\DellSupportCenter\SYSTEM\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\PS2Trial.wpl Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop.ini Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\DESKTOP.INI Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Thumbs.db Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg Object is locked skipped
C:\Documents and Settings\All Users\Documents\My Videos\Desktop.ini Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\history.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\key3.db Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\parent.lock Object is locked skipped
C:\Documents and Settings\Doug Liquori\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Doug Liquori\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\ApplicationHistory\sprtcmd.exe.63e7480d.ini.inuse Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\Mozilla\Firefox\Profiles\ody78xgs.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Application Data\SupportSoft\DellSupportCenter\Doug Liquori\state\logs\sprtcmd.log Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\History\History.IE5\MSHist012008010720080108\index.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Temp\Perflib_Perfdata_48c.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Temp\Perflib_Perfdata_808.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Temp\Perflib_Perfdata_b0c.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Doug Liquori\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Doug Liquori\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20061105223452.zip/uninst.exe Suspicious: Password-protected-EXE skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\20061105223452.zip ZIP: suspicious - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\DRIVERS\rfncpjsr.dat.vir Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP38\A0019530.dll Infected: SpamTool.Win32.Agent.eh skipped
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP38\change.log Object is locked skipped
C:\VundoFix Backups\A0017177.exe.bad Infected: Trojan-Downloader.Win32.Injecter.dd skipped
C:\VundoFix Backups\prx93f.dll.bad Infected: SpamTool.Win32.Agent.eh skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2F523A30-1269-4BC5-AB1A-A84A9454A5AA}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\ACEEvent.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
pskelley
2008-01-06, 15:39
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Not that you need the instructions, but they are pinned to the top of the forum, including this one:


Posters who start topics at multiple sites for their PC problem waste valuable volunteer resources, so please don't. Our volunteer helpers assist people at several sites. A member's username may be different, the problem will not be. The folks at Dell Forum are well qualified, removing the junk takes time, remember the hackers do all they can to keep us from doing that so it is often trial and error when the junk is hidden.

I will tell you Kaspersky shows this:
C:\Program Files\Yahoo!\YPSR\Quarantine\20061105223452.zip
C:\VundoFix Backups\A0017177.exe.bad
C:\VundoFix Backups\prx93f.dll.bad

One item is quarantined in Yahoo and the other two are in Vundofix Backups...none of those can harm you and helpers usually remove that stuff near the end of the cleanup so it only has to be done once. Be patient with your helper at Dell Forum, the option is to drag it to the shop.

Thanks
Padgoi
2008-01-06, 16:59
Thank you, but the guy who is helping me over at DellCommunity only seems to respond once per day or once every 2 days and I'm really trying desperately to clean up my comp, it's running very slowly.

Can you please offer some help to solve this problem?