Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

ALEXA Claria ntvdm.exe trojan spybot dialer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

ALEXA Claria ntvdm.exe trojan spybot dialer

Unread postby matobago » July 3rd, 2007, 1:26 pm

hi

I have a huge problem all my network is infected with a invencible trojan, my antivirus and ad-aware first say that is delsim, when i thougt was deleted apeer downloader then spybot and now is banker, i used a lot of anti-spyware software, ad-aware, avast, a-square, spy-bot and solo, and of course norton antivirus, all of these told that fix and remove a lot of spyware and malaware but when i want to restart my win 2000 get a loop restart, then i try to restor with my installation disk i could restore it but still have the virus, trojan owhatever in ntvdm.exe, then i decide to post this and put my hijackthis.log

Logfile of HijackThis v1.99.1
Scan saved at 10:55:56 AM, on 7/3/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\a-squared Anti-Malware\a2scan.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\ntvdm.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = admin.dcj
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = admin.dcj
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = admin.dcj
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Seagate Page Server (pageserver) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\pageserver.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Seagate Web Component Server (WebCompServer) - Seagate Software, Inc. - C:\Program Files\Seagate Software\WCS\WebCompServer.exe
matobago
Active Member
 
Posts: 4
Joined: July 3rd, 2007, 1:04 pm
Location: Cd. Juarez
Advertisement
Register to Remove

Unread postby Katana » July 5th, 2007, 12:08 pm

Hello and welcome to Malware Removal

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I am reviewing your log and will get back to you.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby matobago » July 5th, 2007, 3:31 pm

Thank's Katana I already fix the problem I had to repair my win 2000 twice but it's working without malwares now.
matobago
Active Member
 
Posts: 4
Joined: July 3rd, 2007, 1:04 pm
Location: Cd. Juarez

Unread postby Katana » July 5th, 2007, 3:34 pm

Hi matobago,
How did you do the repair ?
Did you reformat ?
If not then I would recommend that you post a fresh log for me to look at for you.

I'm afraid I have unpleasant news for you. You have a Very Dangerous infections on this machine.

Very Important!
Your computer is infected with
a backdoor program that allows a remote attacker to download/execute files as well as unauthorized remote access.
It is strongly recommended that you use another computer and change all passwords used for any financial and/or confidential sites that you have used with this computer.
Also, it is a good idea to notify your financial institutions and others about the possibility of identity theft.

Although we can remove this intruder, we can not guarantee the security of your computer.
Most security professionals recommend formatting your hard drive and reinstalling windows.
The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet.
(This type of infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).
Please let me know with your next post if you wish me to help you clean your system.

User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby matobago » July 6th, 2007, 1:34 pm

this is the list of anti-spyware software that i install

a-square
solo antivirus
ad-aware
spybot
clenUp40
avast

i run all of this in Safe Mode in my computer, a-squere finds a bunch of 6 malaware and spyware like banker, desim diler, and don't remember more then i restart my win 2000 and my computer get an autorestarting loop then i inser my windows installation disc and i repaired the system twice, then i could loged-in and the virus stop to send traffic then i install all the symantec antivirus actualizations and windows actualizations.

I have another computer that i don't did this and this is the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:32:30 AM, on 7/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\ntvdm.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.0.24/iwl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Gone bye-bye by request
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\ntvdm.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [Crystal Reports Image Server] C:\WINNT\System32\crimgsvr.exe
O4 - Startup: Shortcut to intertel.lnk = ?
O4 - Startup: Shortcut to RECIBEW.lnk = ?
O4 - Global Startup: Receptor de Detallado.lnk = D:\INTERTEL\RECIBEW.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) - http://148.229.3.225/iwl/viewer/activeX ... viewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = diario.cdj
O17 - HKLM\System\CCS\Services\Tcpip\..\{07DB25A7-6E2B-4B67-AB0E-CD8DD82EB9E0}: NameServer = 172.16.0.16,172.16.0.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = diario.cdj
O17 - HKLM\System\CS1\Services\Tcpip\..\{07DB25A7-6E2B-4B67-AB0E-CD8DD82EB9E0}: NameServer = 172.16.0.16,172.16.0.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = diario.cdj
O17 - HKLM\System\CS2\Services\Tcpip\..\{07DB25A7-6E2B-4B67-AB0E-CD8DD82EB9E0}: NameServer = 172.16.0.16,172.16.0.12
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTVDM. - Unknown owner - C:\WINNT\ntvdm.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)
matobago
Active Member
 
Posts: 4
Joined: July 3rd, 2007, 1:04 pm
Location: Cd. Juarez

Unread postby matobago » July 6th, 2007, 1:39 pm

this is the list of anti-spyware software that i install

a-square
solo antivirus
ad-aware
spybot
clenUp40
avast

i run all of this in Safe Mode in my computer, a-squere finds a bunch of 6 malaware and spyware like banker, desim diler, and don't remember more then i restart my win 2000 and my computer get an autorestarting loop then i inser my windows installation disc and i repaired the system twice, then i could loged-in and the virus stop to send traffic then i install all the symantec antivirus actualizations and windows actualizations.

I have another computer that i don't did this and this is the hijack log

Logfile of HijackThis v1.99.1
Scan saved at 11:32:30 AM, on 7/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\r_server.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\ntvdm.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.0.24/iwl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = Gone bye-bye by request
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\ntvdm.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\RunServices: [Crystal Reports Image Server] C:\WINNT\System32\crimgsvr.exe
O4 - Startup: Shortcut to intertel.lnk = ?
O4 - Startup: Shortcut to RECIBEW.lnk = ?
O4 - Global Startup: Receptor de Detallado.lnk = D:\INTERTEL\RECIBEW.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Smart Viewer 7) - http://148.229.3.225/iwl/viewer/activeX ... viewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = diario.cdj
O17 - HKLM\System\CCS\Services\Tcpip\..\{07DB25A7-6E2B-4B67-AB0E-CD8DD82EB9E0}: NameServer = 172.16.0.16,172.16.0.12
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = diario.cdj
O17 - HKLM\System\CS1\Services\Tcpip\..\{07DB25A7-6E2B-4B67-AB0E-CD8DD82EB9E0}: NameServer = 172.16.0.16,172.16.0.12
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = diario.cdj
O17 - HKLM\System\CS2\Services\Tcpip\..\{07DB25A7-6E2B-4B67-AB0E-CD8DD82EB9E0}: NameServer = 172.16.0.16,172.16.0.12
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTVDM. - Unknown owner - C:\WINNT\ntvdm.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINNT\system32\r_server.exe" /service (file missing)


i'm whos put xxxxx in my domain name
matobago
Active Member
 
Posts: 4
Joined: July 3rd, 2007, 1:04 pm
Location: Cd. Juarez

Unread postby Katana » July 6th, 2007, 2:18 pm

Hi matobago,
RE your PM: I have asked for the items to be removed :)

Katana wrote:I'm afraid I have unpleasant news for you. You have a Very Dangerous infections on this machine.

Very Important!
Your computer is infected with
a backdoor program that allows a remote attacker to download/execute files as well as unauthorized remote access.
It is strongly recommended that you use another computer and change all passwords used for any financial and/or confidential sites that you have used with this computer.
Also, it is a good idea to notify your financial institutions and others about the possibility of identity theft.

Although we can remove this intruder, we can not guarantee the security of your computer.
Most security professionals recommend formatting your hard drive and reinstalling windows.
The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet.
(This type of infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).
Please let me know with your next post if you wish me to help you clean your system.



This however remains the same.
Do you wish to Reformat or try to clean
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Katana » July 8th, 2007, 5:04 am

Hi matobago,

Do you require any help ???
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Unread postby Elrond » July 11th, 2007, 2:26 pm

This topic is now closed due to inactivity. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 494 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware