Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Trojan Horse - Backdoor.Generic2.AKA

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby wonderwill » January 5th, 2006, 11:52 am

Kim

I ran Kaspersky after deleting temp files and cookies and disarming and resetting the Restore function and still have all the viruses?? :

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, January 05, 2006 15:47:10
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 5/01/2006
Kaspersky Anti-Virus database records: 169277
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 30527
Number of viruses found: 10
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 4854 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users.WINDOWS\Application Data\AmokProgramBiasRoad\AtomLoud.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm/eied_s7.htm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm Infected: Trojan-Downloader.JS.Psyme.bi
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\init[1].js Infected: Trojan-Downloader.JS.IstBar.af
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ad
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\package_adp_SIAC[1].exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].htm Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php/packed Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OBFF35PK\protect[1].php Infected: Trojan-Downloader.JS.Codebase.c
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\defyrdrmail.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\drive size download.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\LIVEBASETIMELIES.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\zlfgwzcw.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\RemoteAxis\Exit fork.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp\bis14F2.exe Infected: not-a-virus:AdWare.Win32.Lop.ag
C:\Program Files\Adverts\uninst.exe Infected: not-a-virus:AdWare.Win32.Lop.ai
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP3\A0002256.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\System Volume Information\_restore{7F22F279-5775-4CB3-8645-03A9170A9D2F}\RP4\A0003384.ini Infected: not-a-virus:AdWare.Win32.Sahat.am

Scan process completed.
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm
Advertisement
Register to Remove

Unread postby Kimberly » January 5th, 2006, 12:17 pm

It's because you don't reset them from the correct account.

Account Owner

Clean out your Temporary Internet files. Procede like this:
  • Quit Internet Explorer and quit any instances of Windows Explorer.
  • Click Start, click Control Panel, and then double-click Internet Options.
  • On the General tab, click Delete Files under Temporary Internet Files.
  • In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
  • On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
  • Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
  • Click OK.
Close all browsers and programs.
Run HijackThis, click on Open the Misc Tools Section and finally click on the ADS Spy button. Press the Scan button and the program will start to scan your Windows folder for any files that are Alternate Data Streams. If it finds any, it will display them. Place a checkmark next to its entry and click on the Remove selected button. This will remove the ADS file from your computer. When you are done, press the Back button next to the Remove selected until you are at the main HijackThis screen.


Account Owner.HOMESOPHIE

I noticed that Messenger 3 is installed again and running. This time you've got LOP running. If you want to clean up, do the tasks below.

Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

MessengerPlus! 3

During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software.

Copy/paste the following text into a new Notepad document.

cd %WinDir%\Tasks
attrib -r -s -h A9D537F790EEA9DF.job
del A9D537F790EEA9DF.job


Save it to your desktop as klj.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: klj.bat

Double click klj.bat. A DOS box should open and close quickly, this is normal.


Run HijackThis, click on None of the above, just start the program, click on Scan. Put a check in the box on the left side of the following items if still present:

A O4 line running from :
C:\Documents and Settings\All Users.WINDOWS\Application Data\AmokProgramBiasRoad
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\RemoteAxis
C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp

Close ALL windows and browsers except HijackThis and click Fix Checked

Using Windows Explorer, Search and Delete these Folders if listed:

C:\Program Files\MessengerPlus! 3
C:\Documents and Settings\All Users.WINDOWS\Application Data\AmokProgramBiasRoad
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball
C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\RemoteAxis
C:\Program Files\Adverts

Empty content of C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp

Once cleaned up, reset system restore.

Post a HijackThis log for review.

Did you visit the Microsoft site I did suggest to check your license key ?

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » January 6th, 2006, 6:40 am

Kim

Done all as suggested. Do not understand what you mean by Account Owner. Always deleted internet files and cookies from Sophie's account. There are only 2 accounts on the system and have deleted from both now.

Windows update seems to be working although not sure how (gold shield appearing at toolbar and downloading automatically). Auto was set previously??

Hope I have finally convinced my daughter that Messenger Plus is banned!
Do not know what LOP running is???

Here is Hijackthis log as requested.

Ww
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby wonderwill » January 6th, 2006, 6:40 am

Logfile of HijackThis v1.99.1
Scan saved at 10:39:10, on 06/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\EPSON\ESM2\eEBSVC.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner.HOMESOPHIE\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5357196000
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 7818920249
O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ ... loader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\EPSON\ESM2\eEBSVC.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OJDGKR - Unknown owner - C:\DOCUME~1\OWNER~1.HOM\LOCALS~1\Temp\OJDGKR.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » January 6th, 2006, 10:28 am

Done all as suggested. Do not understand what you mean by Account Owner. Always deleted internet files and cookies from Sophie's account. There are only 2 accounts on the system and have deleted from both now.


In the log I did see 2 accounts :

C:\Documents and Settings\Owner.HOMESOPHIE\Application Data\Option Wave Ball\zlfgwzcw.exe Infected: not-a-virus:AdWare.Win32.Lop.ag - that's Sophie's account

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ILCRRGHI\eied_s7[1].chm/eied_s7.htm Infected: Trojan-Downloader.JS.Psyme.bi - That's what I did qualify as account Owner, thus the other account.

If you use several accounts, there are always 3 things that belong to that account and that only can be accessed from that account (you need to login on that account to see and work on them)
1. Internet temp files & cookies
2. The temp folder on each account - C:\Documents and Settings\Owner.HOMESOPHIE\Local Settings\Temp and C:\Documents and Settings\Owner\Local Settings\Temp
3. The HKEY_CURRENT_USER registry key

Windows update seems to be working although not sure how (gold shield appearing at toolbar and downloading automatically). Auto was set previously??

The shield belongs to the Security Center (see the help in XP for more info). That's a new feature in Service Pack 2. The startup type is set to automatic and Windows Updates is set to automatic also. (Saw that in your startup list)

Hope I have finally convinced my daughter that Messenger Plus is banned!
Do not know what LOP running is???

That would be nice. LOP running, means that lop was active and updating itself. It's gone if you did follow the cleanup instructions. I can't see it anymore in your Hijackthis log.

Just a service to clean up, rootkit revealer did crash on your system.

Maybe all of the following entries wont be present. If you don't find a key, proceed to the next key.

Click Start then Run
Type in regedit
Click Ok.

In left pane of registry editor, Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\OJDGKR
If OJDGKR exists , right click on it and choose Delete from the menu.

Now navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ OJDGKR
If LEGACY_OJDGKR exists then right click on it and choose Delete from the menu.

If you have trouble deleting a key, click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.

Repeat the above procedure for ControlSet001, ControlSet002 although you might not find the service listed in those keys.

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » January 7th, 2006, 7:33 am

Kim

Have deleted as directed. Controlset0002 & 3 rather than 1 & 2.
Take it this is it now?

Ww
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » January 7th, 2006, 10:27 am

Hello wonderwill,

Ok, some people have Controlset0002 & 3 and/or 4 sometimes 5.

Yes, everything has been fixed now. Keep the PC up to date, put some protection on it and Happy Surf :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby wonderwill » January 7th, 2006, 1:12 pm

Many thanks for all your help.

Rgds

Ww
wonderwill
Regular Member
 
Posts: 80
Joined: December 4th, 2005, 12:24 pm

Unread postby Kimberly » January 7th, 2006, 1:26 pm

You're welcome, glad we could help. :)

Kim
User avatar
Kimberly
MRU Teacher Emeritus
 
Posts: 3505
Joined: June 15th, 2005, 12:57 am

Unread postby NonSuch » January 10th, 2006, 4:10 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 199 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware