Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

problem w/ trojan that keeps reinstalling

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

problem w/ trojan that keeps reinstalling

Unread postby hanmi » August 5th, 2009, 9:08 am

Hi,

I have WinXP SP2. I regularly run Spybot and AdAware, and I've got V3 Internet Security (a Korean antivirus). I use Firefox exclusively, except when IE is necessary to access my local Korean bank, which is only accessible via IE and requires evil ActiveX downloads. My husband uses only IE because most Korean sites don't display correctly in other browsers. Nothing I can do about this. (I have my own sacred laptop w/o IE, but that's another story.) We have never used a P2P file sharing program on the computer.

Most of the times, but not every time that I have turned on my computer over the past couple of weeks, AdAware (free version) starts up right away because it says it found a trojan. At first, it was finding one. Then it started finding two sets of files.

Here's the output that I copied from AdAware most recently. Each time, I get the same thing, but the three digit number before .exe changes:

File : C:/Documents and Set/./

Win32Tr/./xy.Agent
Win32TrojanProxy.Agent opens up the infected machine to be used as a proxy server.

File: C:/Documents and Set/./ettings/Temp/328.exe

File: C:/Documents and Set/./

Process: c:/docume~1/admini~1/locals~1/temp/328.exe

Registry Entry:
HKLMHKEY_LOCAL_MACH/./dvanced DHTML Enable

Registry Entry:
HKLM:software/micros/./dvanced dhtml enable

A malicious object of high severity was detected and cleaned. It is recommended that you restart your computer to ensure that all traces of the object are removed completely.

***********end of copied text

So, at first I would restart because it told me to, but I figured out this would just bring the trojan back, so I stopped doing that. I also tried both "quarantine" which was recommended, and "remove."

I also tried running a special V3 scan, which found nothing, and a Spybot scan, which found something else not found by AdAware. (Sorry, didn't write it down, but I can do this again if needed.)

Also, when I start up, I see some unusual language before the desktop comes up, but it's too fast to catch what's going on.

By the way, there's a bunch of other virus and spyware protections of dubious value on the machine, which I have turned off. One is a program installed by the DSL service guy. For a little while, before I figured out what was going on, they were all running at once, so I'm not sure if that caused a problem. I still have the No Phishing one on, because it's required to log in to the bank.

Anyway, here's my hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 오후 9:48:53, on 2009-08-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe
C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
C:\Program Files\AhnLab\V3IS2007\MSProxy.ahn
C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\WINDOWS\system32\npkcmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\SoftRun\NoPhishing\NoPhishing.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmonnpe.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: CBOX - {EF37FF2A-EA35-4FE8-891C-6C54E9E3687D} - C:\Program Files\Arcdo\CableTB\CableTB.dll
O3 - Toolbar: CBOX - {EF37FF2A-EA35-4FE8-891C-6C54E9E3687D} - C:\Program Files\Arcdo\CableTB\CableTB.dll
O4 - HKLM\..\Run: [AHNSD] "C:\Program Files\AhnLab\Smart Update Utility\AhnSD.exe"
O4 - HKLM\..\Run: [AhnLab Session Process] "C:\PROGRA~1\COMMON~1\AhnLab\ACA\ACASP.exe"
O4 - HKLM\..\Run: [NoPhishing] C:\Program Files\SoftRun\NoPhishing\NPUpdate.exe -s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\Logitech\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [CbTBUp] C:\Program Files\Arcdo\CableTB\CbTBUp.exe /backgroundInstall
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [12CFG515-K641-55SF-N55P] C:\RECYCLER\S-1-5-21-0243336035-3055115375-381863305-1553\vslmq.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel로 내보내기(&X) - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 콘솔 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.naver.com
O15 - Trusted Zone: http://*.shinhan.com
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {00730568-9568-44ED-ACDE-ED34B551B0CD} (QBSAS Control) - http://61.97.224.57/include/QBSASV2.cab
O16 - DPF: {042D97DD-E197-411A-8298-6EE85F1C1421} (mkdsfwCtrl Class) - http://ahnlabdownload.nefficient.co.kr/ ... mkdsfw.cab
O16 - DPF: {044123B5-35DF-4C4E-BAED-26B8ED964342} (HLiveRobotWeb Control) - http://fx.hauri.net/HProduct/livesuite/ ... botWeb.cab
O16 - DPF: {0CD2EC08-3CF6-4BC4-BF48-824F4C1994F1} (SecureSession Class) - http://www.samsungfn.com/contents/trust ... oolkit.cab
O16 - DPF: {25794D3C-E2F0-40B8-9C11-F38DC1908633} (Maildropfile Control) - http://activexdown.paran.com/paranactiv ... uncher.cab
O16 - DPF: {286A75C3-11FB-4FB4-AC4A-4DD1B0750050} (INISAFEWeb6 V6 Class) - http://www.citibank.co.kr/initech/plugin/INIS60.cab
O16 - DPF: {309A42C6-4114-11D4-AF7B-30A024C32DBA} (Report Designer 3.0 Control) - ftp://blacklion.hanyang.ac.kr/Pub/rdvie ... ewer30.cab
O16 - DPF: {39461460-2552-4D51-A062-3AB6A7B902E9} (INISAFE Updater Control) - http://img.shinhan.com/shttp/install/down/INIS70.cab
O16 - DPF: {39FC0CF9-86F3-4502-B773-D16706EDEC83} (SCSK Control) - http://www.citibank.co.kr/js/kor/scsk4.cab
O16 - DPF: {3B56E5F0-7B20-48BF-B439-A995BE5191EF} (SessionControl Control) - http://pib.wooribank.com/com/common/SessionControl.cab
O16 - DPF: {53EED863-B547-40F8-B24A-2D6DE807CFE8} (Printmade Control) - http://img.shinhan.com/rib//ko/print/Printmade.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5843979640
O16 - DPF: {6531D99C-0D0E-4293-B3CB-A3E1D0D41847} (AhnASP Control) - http://ahnlabdownload.nefficient.co.kr/ ... AhnASP.cab
O16 - DPF: {66413DC2-F891-40BC-822D-B7EEC8ADC281} (ProWorksGrid Control) - http://img.shinhan.com/rib/common/ProWorksGrid_78.cab
O16 - DPF: {6CE20149-ABE3-462E-A1B4-5B549971AA38} (XecureCKKB Class) - http://ck.softforum.co.kr/keypro/2.2.0.46/CKKeyPro.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5843968671
O16 - DPF: {7E9FDB80-5316-11D4-B02C-00C04F0CD404} (XecureWeb 4.0 Client Control) - http://download.softforum.co.kr/Publish ... nstall.cab
O16 - DPF: {8FA8D5F7-7CBA-46D4-9568-68D70C5280E8} (NoPhishingX Control) - http://www.nophishing.co.kr/softrun/SH02/SRNPSH.cab
O16 - DPF: {938527D1-CDB7-4147-998A-B20FCA5CC976} (Cdmcco Class) - http://cafeimg.hanmail.net/activex/dmcc ... n=1,0,0,10
O16 - DPF: {948FC4BD-3F05-4549-81E7-2C63974F6D17} (SecureSession Class) - http://www.samsungfn.com/sscommon/cab/SecuiSFNCOMIE.cab
O16 - DPF: {A0BE0236-AB5A-45DC-A304-2269CE96708E} (CUXL Asynchronous Pluggable Protocol Handler) - http://www.ailogix.com/download/CUXLMON.CAB
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://kings.nefficient.co.kr/kings/kdf ... fense8.cab
O16 - DPF: {C1143E84-B2B1-473B-9F20-E62DD754FCAF} (VineTransfer Control) - https://acs2.lottecard.co.kr/visa3d/inf ... ansfer.cab
O16 - DPF: {C854C4D1-ED53-4B1F-AA45-783B3CF3315C} (DacomUpload Control) - http://program.webhard.co.kr/Plus/activ ... Upload.cab
O16 - DPF: {CF392830-663F-11D5-89EE-000086551DF6} (PS_NTSATL Class) - http://download.hts.nefficient.co.kr/ht ... crypto.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://update.nprotect.net/nprotect/module/npx.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://update.nprotect.net/keycrypt/nts/npkcx_nts.cab
O16 - DPF: {D912AABC-6CB0-416F-85B6-CABBB86FD558} (INIwallet60 Control) - http://plugin.inicis.com/wallet60/INIwallet60.cab
O16 - DPF: {DC4207CE-C03E-4449-ACB1-032CA4137053} (Npz Control) - http://update.nprotect.net/nprotect2006/yesone/npz.cab
O16 - DPF: {E0BF7A2B-2F7C-497A-B50F-292D3F317965} (CongnamulMap Control) - http://www.congnamul.com/ActiveX/Releas ... ap_V17.cab
O16 - DPF: {E78928A6-3D2A-4BF7-A100-F3FBAA351B49} (KvpIspCtlD Control) - https://www.vpay.co.kr/kvpfiles/KVPISPCTLD.cab
O16 - DPF: {EA0995BF-45DD-4DB0-ADD5-A39C37397841} (ShbAutoTrustSite Control) - http://img.shinhan.com/rib/common/Trust ... tSiteX.cab
O16 - DPF: {EC5D5118-9FDE-4A3E-84F3-C2B711740E70} (SKCommAX Control) - http://www.samsungfn.com/sscommon/cab/SKCommAX.cab
O18 - Protocol: cup - {A0BE0236-AB5A-45DC-A304-2269CE96708E} - C:\Program Files\AILogix\CUXL\CUXLMON.DLL
O18 - Protocol: dup - {A0BE0236-AB5A-45DC-A304-2269CE96708E} - C:\Program Files\AILogix\CUXL\CUXLMON.DLL
O18 - Protocol: s-http - {D37E6C5F-1C0F-47C0-A3B6-403EEC555402} - C:\Program Files\Initech\SHTTP\InitechSHTTPInterface.10113.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AhnLab Application Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAAS.exe
O23 - Service: AhnLab Guarantee Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAEGMgr.exe
O23 - Service: AhnLab Information Service - AhnLab, Inc. - C:\Program Files\Common Files\AhnLab\ACA\ACAIS.exe
O23 - Service: AhnLab Task Scheduler - AhnLab, Inc. - C:\Program Files\AhnLab\Smart Update Utility\AhnSDsv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod 서비스 (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\WINDOWS\system32\npkcmsvc.exe

--
End of file - 11149 bytes


Thank you for your help. I really appreciate it.
hanmi
Active Member
 
Posts: 3
Joined: August 5th, 2009, 8:36 am
Advertisement
Register to Remove

Re: problem w/ trojan that keeps reinstalling

Unread postby MWR 3 day Mod » August 8th, 2009, 1:17 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: problem w/ trojan that keeps reinstalling

Unread postby Dakeyras » August 10th, 2009, 8:15 am

Hi :)

As per request:
If there is no one to help me, I would appreciate a referral to a reliable paid service. We have to back up everything and take it with us before we leave, and I'm worried about infecting another computer.

If you find this after Sunday 10 p.m. U.S. central standard time, please ignore this request and simply advise on how to clean up any USB flash drives we have used with the computer. We will have to clean up the computer next time we set it up.
You can disinfect the USB Flash Drives as follows:

Flash_Disinfector:

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Let myself know if you require further assistance, thank you.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8804
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: problem w/ trojan that keeps reinstalling

Unread postby Shaba » August 13th, 2009, 3:13 am

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 281 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware