Results 1 to 7 of 7
  1. #1
    Member
    Join Date
    Mar 2006
    Posts
    4
    Points
    0

    Default IDP.Trojan.5E976F8B and IE 8 Windows ReOpening

    I have been having a couple of problems with my pc. First, I was having problems with my yahoo toolbar - when I open a new IE window sometimes it will open with the space for my toolbar there but it shows whatever is behind that window - and so I tried to remove it and reinstall but when I remove it my AVG tells me I have a trojan IDP.Trojan.5E976F8B in file unyt_bs.exe. I have removed the Trojan to the Virus Vault and deleted the file but it just keeps happening.

    My second issue is every once in while when I try to close an IE window it will reopen the same window as a new tab and keep reopening it until I have to end it in my Task Manager. Here are my logs, please help.

    SUPERAntiSpyware Scan Log
    SUPERAntiSpyware | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

    Generated 01/17/2013 at 05:12 AM

    Application Version : 5.6.1014

    Core Rules Database Version : 9885
    Trace Rules Database Version: 7697

    Scan type : Complete Scan
    Total Scan Time : 00:51:49

    Operating System Information
    Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
    Administrator

    Memory items scanned : 557
    Memory threats detected : 0
    Registry items scanned : 37576
    Registry threats detected : 0
    File items scanned : 67195
    File threats detected : 27

    Adware.Tracking Cookie
    C:\Documents and Settings\Todd\Cookies\KUKHS3Z4.txt [ /7.rotator.wigetmedia.com ]
    C:\Documents and Settings\Todd\Cookies\13XE1Z9O.txt [ /realmedia.com ]
    C:\Documents and Settings\Todd\Cookies\T473PYWT.txt [ /ees.rotator.hadj1.adjuggler.net ]
    C:\Documents and Settings\Todd\Cookies\NBCNR27G.txt [ /ads.pubmatic.com ]
    C:\Documents and Settings\Todd\Cookies\KA1M6E5X.txt [ /ads.ad4game.com ]
    C:\Documents and Settings\Todd\Cookies\0ZSEAZE0.txt [ /yieldmanager.net ]
    C:\Documents and Settings\Todd\Cookies\32EP0EHB.txt [ /interclick.com ]
    C:\Documents and Settings\Todd\Cookies\S6K06C41.txt [ /ads.lzjl.com ]
    C:\Documents and Settings\Todd\Cookies\4JX9GQP6.txt [ /invitemedia.com ]
    C:\Documents and Settings\Todd\Cookies\4H740T54.txt [ /mediaforceltd.go2jump.org ]
    C:\Documents and Settings\Todd\Cookies\V2VVKT2K.txt [ /www.media970.com ]
    C:\Documents and Settings\Todd\Cookies\PCXE3RJV.txt [ /solvemedia.com ]
    C:\Documents and Settings\Todd\Cookies\PJRC0BM5.txt [ /ads.depositfiles.com ]
    C:\Documents and Settings\Todd\Cookies\TO0GHOIJ.txt [ /ad.360yield.com ]
    C:\Documents and Settings\Todd\Cookies\O3VEW77T.txt [ /myroitracking.com ]
    C:\Documents and Settings\Todd\Cookies\VCUTCTF5.txt [ /casalemedia.com ]
    C:\Documents and Settings\Todd\Cookies\OAHOOQJE.txt [ /revenuemax.de ]
    C:\Documents and Settings\Todd\Cookies\9ZJ1CVGM.txt [ /stats.paypal.com ]
    C:\Documents and Settings\Todd\Cookies\FUIPOTPR.txt [ /media6degrees.com ]
    C:\Documents and Settings\Todd\Cookies\8VIETPUG.txt [ /a1.interclick.com ]
    C:\Documents and Settings\Todd\Cookies\M3RKDHLE.txt [ /ad.mlnadvertising.com ]
    C:\Documents and Settings\Todd\Cookies\QN2OAJ9R.txt [ /at.atwola.com ]
    C:\Documents and Settings\Todd\Cookies\VJOSYLF7.txt [ /amazon-adsystem.com ]
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\8SVE245D.txt [ Cookie:administrator@atdmt.com/ ]
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\4UFFHANR.txt [ Cookie:administrator@c.atdmt.com/ ]
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\6ACOWQ72.txt [ Cookie:administrator@revsci.net/ ]
    C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\Cookies\V7GAXC27.txt [ Cookie:administrator@doubleclick.net/ ]



    Malwarebytes Anti-Malware 1.70.0.1100
    Malwarebytes : Free anti-malware download

    Database version: v2013.01.17.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    Todd :: MYPC [administrator]

    1/17/2013 5:14:57 AM
    mbam-log-2013-01-17 (05-14-57).txt

    Scan type: Full scan (C:\|D:\|E:\|)
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 324995
    Time elapsed: 3 hour(s), 36 minute(s), 4 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 10:09:04 PM, on 1/17/2013
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\PROGRA~1\AVG\AVG2013\avgrsx.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Browny02\Brother\BrStMonW.exe
    C:\Program Files\AVG\AVG2013\avgui.exe
    C:\Program Files\DivX\DivX Update\DivXUpdate.exe
    C:\WINDOWS\system32\CTHELPER.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\ControlCenter4\BrCtrlCntr.exe
    C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG2013\avgidsagent.exe
    C:\Program Files\ControlCenter4\BrCcUxSys.exe
    C:\Program Files\AVG\AVG2013\avgwdsvc.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\AVG\AVG2013\avgnsx.exe
    C:\Program Files\Java\jre7\bin\jqs.exe
    C:\Program Files\AVG\AVG2013\avgemcx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\Browny02\BrYNSvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Free Download Manager\fdm.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\AVG\AVG2013\avgcsrvx.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Yahoo!\Companion\Installs\cpn3\ytbb.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
    R3 - URLSearchHook: YTNavAssistPlugin Class - {81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll
    O2 - BHO: Free Download Manager - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [DivXMediaServer] C:\Program Files\DivX\DivX Media Server\DivXMediaServer.exe
    O4 - HKLM\..\Run: [ControlCenter4] C:\Program Files\ControlCenter4\BrCcBoot.exe /autorun
    O4 - HKLM\..\Run: [BrStsMon00] C:\Program Files\Browny02\Brother\BrStMonW.exe /AUTORUN
    O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2013\avgui.exe" /TRAYONLY
    O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
    O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1355996880359
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgidsagent.exe
    O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2013\avgwdsvc.exe
    O23 - Service: BrYNSvc - Brother Industries, Ltd. - C:\Program Files\Browny02\BrYNSvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe
    O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
    O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

    --
    End of file - 7851 bytes

  2. #2
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello,

    I think this may be a case of a False Detection by AVG.
    Please go here and submit the file for inspection.
    AVG | Report on a false detection
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  3. #3
    Member
    Join Date
    Mar 2006
    Posts
    4
    Points
    0

    Default

    I will do that. However the file that yahoo toolbar uninstall creates unyt_bs.exe is not the file it should be creating which is unyt.exe. Also, I have researched the bs file and I have seen at least one reference to this being a trojan.

  4. #4
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    I will do that. However the file that yahoo toolbar uninstall creates unyt_bs.exe is not the file it should be creating which is unyt.exe. Also, I have researched the bs file and I have seen at least one reference to this being a trojan.
    You think I haven't researched the file myself?

    IDP.Trojan.5E976F8B
    This is a generic detection. Usually detected by the hueristics. And since you have no signs of an infection I believe its a false positive.



    You can also submit it at Jotti or VirusTotal and have it scanned and post back the results.

    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

    How to see hidden files in Windows

    Please click this link-->Jotti

    When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

    THE SUSPECTED BAD FILE

    Please post back the results of the scan in your next post.

    If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  5. #5
    Member
    Join Date
    Mar 2006
    Posts
    4
    Points
    0

    Default

    So I went to Jotti and you were right the file came up clean. Thank you for helping me with that issue. One question do you have any idea why I am having the IE issues? When I x out of an IE window sometimes that window gets automatically open as a new tab or a new window and keeps replicating until I usually have to kill the window from task manager. Thank you for your help and also thanks for the Jotti website.

  6. #6
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    So I went to Jotti and you were right the file came up clean. Thank you for helping me with that issue. One question do you have any idea why I am having the IE issues? When I x out of an IE window sometimes that window gets automatically open as a new tab or a new window and keeps replicating until I usually have to kill the window from task manager. Thank you for your help and also thanks for the Jotti website.
    This is kinda strange to me. I wanna check to make sure there is not a ongoing or previous infection. If no infection we will have you post in Computer Help portion of the forums.

    Please run these diagnostic tools and post their logs.

    1.
    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


    2.
    Please download GMER from one of the following locations and save it to your desktop:

    • Main Mirror which will download a randomly named file
    • Zipped Mirror - Unzip the file to its own folder such as C:\gmer
    • Disconnect from the Internet and close all running programs
    • Temporarily disable any real-time active protection
    • It is very important you do not use your computer while GMER is running
    • Double-click on the randomly named GMER icon
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
    • If you receive a warning about rootkit activity and are asked to fully scan your system click NO
    • Please check in the Quick scan box
    • Please uncheck the following:
      • IAT/EAT
      • Show All <<< Important


    • Click Scan
    • If you see a rootkit warning window click OK
    • When the scan is finished, Save the results to your desktop as gmer.log
    • Click Copy then paste the results in your reply
    • Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled

    Note:
    • If you encounter any problems, try running GMER in Safe Mode
    • If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning


    3.
    Download AdwCleaner
    • Double click on AdwCleaner.exe to run the tool.
      ***Note: Windows Vista and Windows 7 users:
      Right click in the adwCleaner.exe and select
    • Click the Search button.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your next reply.
    • Or you can find the logfile at C:\AdwCleaner[R1].txt.


    Things to include in your next reply:;
    AswMbr log
    Gmer log
    AdwCleaner log
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-




  7. #7
    Member Spyware Fighter
    Join Date
    Jun 2010
    Location
    Bement,Ill USA
    Posts
    1,340
    Points
    146

    Default

    Hello.

    There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
    If you are the topic starter and need this topic reopened, send me a message.

    Everyone else, please begin a new topic.

    With Regards,
    fireman4it
    " Extinguishing Malware from the world"

    The Spware Help forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.
    HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
    Thanks-