Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Infected with various Trojan and adware.(remove to no avail)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Infected with various Trojan and adware.(remove to no avail)

Unread postby godpig » April 6th, 2007, 3:46 pm

hi, i have been seriously infected with this few trojans and a few more which i will b listing down below..i haf also been infected wif this borlander adware which keep irritatingly pop up windows whilst im doing my work, n if i leave my computer overnite on, tons of websites will b generated..

the trojans tat im infected with are
Trojan.Downloader.Agent.AEA
WOW Trojan
QQPASS Trojan
Trojan.PSW.Delf.nv
Trojan.Crypt.K

Adware infected
adware Borlander

i haf already tried removing this problems with alot of different softwares, but to no avail.after i remove it, wen i do the next scan,they still come on again.help!!

the tools that i haf used are
Spybot
XoftSpySE
Lava Ad-aware
Registry Booster

im tinking mayb i haf jus removed the installed program but the installer is hiding somewhere in my computer..
seriously i need some help here.. pls help me...tks

below is my Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 3:45:24 AM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\mshtmlsed.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\Svchost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
D:\Program Files\ABIT\ABIT Manager\abiteq.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\WINDOWS\system32\wuauclt.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {325e7e2c-3dca-44e8-8b0d-4e03f37a8dbf} - D:\WINDOWS\system32\44e8cfsb.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - D:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HelpIE Class - {589A6FED-A214-4FE3-8D1E-CD07BC634D89} - D:\WINDOWS\system32\HelpIE.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {624be91d-e0ba-4d00-ae2b-1b294ae19f4f} - D:\WINDOWS\system32\4d00ntos.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABITManager] D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
O4 - HKLM\..\Run: [ABITEQ] D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [winform] D:\WINDOWS\winform.exe
O4 - HKLM\..\Run: [kernel32] D:\WINDOWS\Kernel32.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tmy3g8lk35sfz] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/11a84ca08ce ... xIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{678B4F31-AB23-40EA-A3DD-B9FCDB9EA25A}: NameServer = 202.156.1.48,202.156.1.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: cpvs - {A72D5C26-D87B-4787-8F03-87E0393DD818} - D:\PROGRA~1\bouy\cpvs.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Routing Protect Access (BKMARKS) - Unknown owner - D:\WINDOWS\SYSTEM32\RUNDLL2000.EXE (file missing)
O23 - Service: Cryptographic Server (CryptographicServer) - Unknown owner - D:\WINDOWS\system32\mshtmlsed.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

tks again for the Help..
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm
Advertisement
Register to Remove

Unread postby godpig » April 7th, 2007, 12:51 pm

hi, realli need some help here..my computer s getting more n more cranky now...reboots by itself..n sometimes when logging in, halfway through will reboot ..haf to log in a few times before can get into windows...anyone pls provide a solution?
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 7th, 2007, 7:29 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear. So lets do this to the end!
Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!




It looks like you have been infected by a backdoor trojan.


This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

Its very possible that anything could have been installed on your computer by the remote attacker, including opening other backdoors and installing rootkits. While we can attempt to clean what we see in your logs, we can't guarantee that your computer will be completely in the clear since we have no way of knowing that has been done to the computer. Your computer could be completely compromised at this moment. It may be prudent to backup your information, reformat, and reinstall.

More information on Remote Access Trojans can be found
here

I suggest you do the following immediately:
  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, I can help you clean your computer to the best of my abilities.

Should you have any questions, please feel free to ask.

Please let me know what you decide to do in your next post.

Should you decide to clean this machine start by doing the following.


You are running HJT directly from the desktop.
Create a folder called HJT either in C: or My documents or some place convienient and place the
hijackthis.exe in there.
This will ensure we have back ups made and it doesn't get deleted .



___________________________________
DISABLE Spyware Doctor
It is a good program, but ... it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".

_____________________________
Task Manager
I would like you to open the task manager by pressing simeltaniously
Ctrl+Shift+Esc or cntrl /alt/delete
then go to the processes tab and end the following if present:
by: right clicking on and choosing end process.

mshtmlsed.exe






______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {325e7e2c-3dca-44e8-8b0d-4e03f37a8dbf} - D:\WINDOWS\system32\44e8cfsb.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - D:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: HelpIE Class - {589A6FED-A214-4FE3-8D1E-CD07BC634D89} - D:\WINDOWS\system32\HelpIE.dll
O2 - BHO: (no name) - {624be91d-e0ba-4d00-ae2b-1b294ae19f4f} - D:\WINDOWS\system32\4d00ntos.dll
O4 - HKLM\..\Run: [winform] D:\WINDOWS\winform.exe
O4 - HKLM\..\Run: [kernel32] D:\WINDOWS\Kernel32.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tmy3g8lk35sfz] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - <http://software-dl.real.com/11a84ca08ce92a7fe516/netzip/RdxIE601.cab>
O21 - SSODL: cpvs - {A72D5C26-D87B-4787-8F03-87E0393DD818} - D:\PROGRA~1\bouy\cpvs.dll (file missing)
O23 - Service: Routing Protect Access (BKMARKS) - Unknown owner - D:\WINDOWS\SYSTEM32\RUNDLL2000.EXE (file missing)
O23 - Service: Cryptographic Server (CryptographicServer) - Unknown owner - D:\WINDOWS\system32\mshtmlsed.exe


__________________________

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

___________________________________
Reconfigure Windows XP to show hidden files::

Click Start. My Computer.
Select the Tools menu Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.
___________________________________
Search for and remove
Now I want you to search for and delete the following folder and all it's contents if present. If you need help finding them.
Click start /search/ all files and folders/ look for More advanced options. once in there select the first 3 boxes.
Please just remove the files/folders I listed in BOLD


D:\WINDOWS\system32\mshtmlsed.exe
D:\WINDOWS\SYSTEM32\RUNDLL2000.EXE
D:\PROGRAM FILES\bouy\cpvs.dll
D:\WINDOWS\winform.exe

____________________________________




______________________________
Stop and Disable 2 Services

Go to Start " Run " type: Services.msc " OK.
Scroll down and find this service:
Cryptographic Server
and
Routing Protect Access

Double-click on it.
Under the General tab, click the Stop button.
Then as start up type click disable.
______________________________
We need to delete both services
- Start HijackThis...
- Click "Config" button
- Click "Misc Tools" button
- click "Delete an NT Service" button
- Copy and Paste the bold text below in the "Delete an NT Service" window

Hitting OK after each service is typed in.

Routing Protect Access
and
Cryptographic Server


close that.
______________________________



______________________________

Download and install CCleaner from here


If you use either the Firefox or Mozilla browsers, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.

  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Reset Temp File Removal for Regular Use.
    Click on the Options block on the left. Select the Advanced button.
    Check "Only delete files in Windows Temp folders older than 48 hours".


    Now run the program and click on Run Cleaner
    ( Do not use the Issues block to clean anything with this program. It is for experts only and it is risky).


Please download to your Desktop or to your usual Download Folder.
AVG Anti-Spyware
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit.
  • Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update AVG Anti-spyware.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________
It will save a log in C:\Program Files\Grisoft\AVG anti-spyware 7.5\Reports

Post that for me.


Exit AVG.


Reboot normaly.

Please tell me who your Internet service provider is..
This IP look like something you know ?

202.156.1.48,202.156.1.68
Does
StarHub Cable Vision Ltd
SINGAPORE CABLE NETWORK PROVIDER sound correct ?


In your next reply I would like to see:
  • A new HJT log
  • The report from AVG anti malware
  • The report from S&D fix
  • Tell me whom your internetservice provider is.. does


Why is there no anti virus installed ???

I see no signs of an anti virus program.. I suggest you get one in asap.
I will list 2 free anti virus programs just choose 1.

AVG FREE

Avast

Download and install update one of these and run a full scan. ONLY use 1. Running two is not a good idea. ;)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 7th, 2007, 8:53 pm

hii, tks for taking time to help me out in my probel...below is the report n hijack file after i have performed the steps after SDFIX..

for SDFIX

SDFix: Version 1.77

Run by Administrator - Sun 04/08/2007 - 8:43:15.00

Microsoft Windows XP [Version 5.1.2600]

Running From: D:\DOCUME~1\ADMINI~1\Desktop\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

Checking if ADS is attached to system32 Folder
D:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
D:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"
"D:\\Program Files\\mIRC\\mirc.exe"="D:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\DL\\lancraft\\lancraft.exe"="C:\\DL\\lancraft\\lancraft.exe:*:Enabled:lancraft"
"C:\\Program Files\\EA SPORTS\\FIFA 06\\fifa06.exe"="C:\\Program Files\\EA SPORTS\\FIFA 06\\fifa06.exe:*:Enabled:fifa06"
"D:\\Program Files\\Internet Explorer\\iexplore.exe"="D:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"D:\\Program Files\\BitComet\\BitComet.exe"="D:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"D:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="D:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:OTI@Home User Interface"
"D:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"="D:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"D:\\Program Files\\PPLive\\PPLive.exe"="D:\\Program Files\\PPLive\\PPLive.exe:*:Enabled:PPLive"
"D:\\WINDOWS\\Temp\\host.exe"="D:\\WINDOWS\\Temp\\host.exe:*:Disabled:host"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\MSN Messenger\\msnmsgr.exe"="D:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

D:\WINDOWS\Debug\UserMode\0DE49.dll
D:\WINDOWS\system32\4.dll
D:\WINDOWS\system32\6.dll
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Outlook Express\msimn.exe
D:\WINDOWS\Debug\UserMode\0DE49.exe
D:\Program Files\Common Files\Microsoft Shared\MSInfo\system42.rar
D:\Program Files\Internet Explorer\InfoMs.sys
D:\~de4C.tmp
D:\Documents and Settings\Administrator\Desktop\Thumb\AFS\Module\Bomb and Fuzes\~WRL0002.tmp
D:\Documents and Settings\Administrator\Desktop\Thumb\Name\LessonPlan\eod lesson plan\~WRL1932.tmp
D:\Documents and Settings\Administrator\Desktop\Thumb\Name\LessonPlan\eod lesson plan\~WRL3346.tmp
D:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\5a0d771158cfd69be5ddd26d8f58c73b\BIT7.tmp

Finished

for HJT
Logfile of HijackThis v1.99.1
Scan saved at 8:52:44 AM, on 4/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\Svchost.exe
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
D:\Program Files\ABIT\ABIT Manager\abiteq.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://runonce.msn.com/?v
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - D:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HelpIE Class - {589A6FED-A214-4FE3-8D1E-CD07BC634D89} - D:\WINDOWS\system32\HelpIE.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABITManager] D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
O4 - HKLM\..\Run: [ABITEQ] D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [msccrt] D:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [kernel32] D:\WINDOWS\Kernel32.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [u9rf14je] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/r ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{678B4F31-AB23-40EA-A3DD-B9FCDB9EA25A}: NameServer = 202.156.1.48,202.156.1.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Routing Protect Access (BKMARKS) - Unknown owner - D:\WINDOWS\SYSTEM32\RUNDLL2000.EXE (file missing)
O23 - Service: Cryptographic Server (CryptographicServer) - Unknown owner - D:\WINDOWS\system32\mshtmlsed.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 8th, 2007, 2:39 am

oh ya...im sorry, my ISP provider is SINGNET...tks
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 8th, 2007, 7:36 am

The report from AVG anti malware ??

Then a new HJT log done in normal mode .
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 9th, 2007, 3:48 am

hi, sorry for the lack of info n later reply...below is the HJT n AVG log...btw some trojan can still be detected in the system

Logfile of HijackThis v1.99.1
Scan saved at 3:45:17 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\alg.exe
D:\WINDOWS\system32\WgaTray.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
D:\Program Files\ABIT\ABIT Manager\abiteq.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\rundll32.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\WINDOWS\system32\wuauclt.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://runonce.msn.com/?v
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
R3 - URLSearchHook: f051 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - D:\WINDOWS\system32\437cntos.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - D:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HelpIE Class - {589A6FED-A214-4FE3-8D1E-CD07BC634D89} - D:\WINDOWS\system32\HelpIE.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {79aeef31-0df2-47d7-8b0d-4e03f37a8dbf} - D:\WINDOWS\system32\47d7cfsb.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {f52c6442-f051-437c-ae2b-1b294ae19f4f} - D:\WINDOWS\system32\437cntos.dll
O3 - Toolbar: f051 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - D:\WINDOWS\system32\437cntos.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABITManager] D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
O4 - HKLM\..\Run: [ABITEQ] D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [msccrt] D:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [kernel32] D:\WINDOWS\Kernel32.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [qlsreq96] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\qlsreq96.dll",Start
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wr] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/r ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{678B4F31-AB23-40EA-A3DD-B9FCDB9EA25A}: NameServer = 202.156.1.48,202.156.1.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BF74F43E - Unknown owner - D:\WINDOWS\system32\BF74F43E.EXE (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe



AVG
--------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:41:30 PM 4/9/2007

+ Scan result:



D:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20070408-083038-207.dll -> Adware.Agent : Cleaned with backup (quarantined).
D:\Program Files\Common Files\Ruango\Player.dll -> Adware.Agent : Cleaned with backup (quarantined).
D:\WINDOWS\system32\437cntos.dll -> Adware.Agent : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\alexa.exe -> Adware.AlexaBar : Cleaned with backup (quarantined).
D:\WINDOWS\system32\qlsreq96.dll -> Adware.Baidu : Cleaned with backup (quarantined).
D:\WINDOWS\system32\thpepm95.dll -> Adware.Baidu : Cleaned with backup (quarantined).
D:\WINDOWS\system32\winepm95.dll -> Adware.Baidu : Cleaned with backup (quarantined).
D:\WINDOWS\system32\winreq96.dll -> Adware.Baidu : Cleaned with backup (quarantined).
D:\WINDOWS\system32\yrelwf58.dll -> Adware.Baidu : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20070408-083038-393.dll -> Adware.BHO : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20070408-141931-822.dll -> Adware.BHO : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20070409-133114-400.dll -> Adware.BHO : Cleaned with backup (quarantined).
D:\WINDOWS\Temp\7CC765DA.exe -> Adware.BHO : Cleaned with backup (quarantined).
D:\WINDOWS\system32\FP30IE.dll -> Adware.BHO : Cleaned with backup (quarantined).
D:\WINDOWS\system32\FP30SVR.exe -> Adware.BHO : Cleaned with backup (quarantined).
D:\WINDOWS\system32\HelpIE.dll -> Adware.BHO : Cleaned with backup (quarantined).
D:\WINDOWS\system32\mshtmlsed.exe -> Adware.BHO : Cleaned with backup (quarantined).
D:\~de4C.tmp -> Adware.Boran : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\94\cdnunins.exe -> Adware.CDN : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\uninrest.exe -> Adware.Cdn : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\94\cdnup.exe -> Adware.Cdnup : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-1409082233-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C95FE080-8F5D-11D2-A20B-00AA003C157A} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-484763869-1409082233-682003330-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F1FABE79-25FC-46DE-8C5A-2C6DB9D64333} -> Adware.Generic : Cleaned with backup (quarantined).
D:\WINDOWS\system32\20287.exe -> Adware.NewWeb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\MyFavor.dll -> Adware.NewWeb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\qlsreq96.sys -> Adware.NewWeb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\tnswgk39.dll -> Adware.NewWeb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\usb8028.sys -> Adware.WSearch : Cleaned with backup (quarantined).
D:\WINDOWS\system32\BF74F43E.DLL -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
D:\WINDOWS\system32\BF74F43E.EXE -> Backdoor.Agent.ahj : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\ndcia.sys -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
D:\WINDOWS\system32\qauth.dll -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
D:\WINDOWS\system32\trtbc.dat -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
D:\WINDOWS\system32\trtbc.dll -> Downloader.Agent.bcc : Cleaned with backup (quarantined).
D:\WINDOWS\system32\lsanp.dll -> Downloader.Agent.bcd : Cleaned with backup (quarantined).
D:\WINDOWS\system32\wbem\ocmor.dll -> Downloader.QQHe.ft : Cleaned with backup (quarantined).
D:\WINDOWS\system32\s_hh2.exe -> Downloader.QQHelper.es : Cleaned with backup (quarantined).
D:\WINDOWS\system32\pyqhg.dll -> Downloader.QQHelper.ft : Cleaned with backup (quarantined).
D:\WINDOWS\Temp\host.exe -> Downloader.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\bind_50099.exe -> Downloader.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\bind_50201.exe -> Downloader.Small : Cleaned with backup (quarantined).
D:\WINDOWS\system32\wbem\siltyghq.dll -> Downloader.Small : Cleaned with backup (quarantined).
[912] D:\WINDOWS\system32\wbem\siltyghq.dll -> Downloader.Small : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\1271843.exe -> Dropper.Small.awk : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20070408-083038-717.dll -> Trojan.Agent.afb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\47d7cfsb.dll -> Trojan.Agent.afb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\romman.sys -> Trojan.Agent.afb : Cleaned with backup (quarantined).
D:\WINDOWS\system32\drivers\stdio.sys -> Trojan.Agent.afb : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp6.tmp.rom -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp9.tmp.rom -> Trojan.OnLineGames.es : Cleaned with backup (quarantined).
D:\WINDOWS\system32\winform.dll -> Trojan.OnLineGames.mq : Cleaned with backup (quarantined).
D:\Program Files\Internet Explorer\InfoMs.sys -> Trojan.QQShou : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm1.tmp.rom -> Trojan.Wow : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm3.tmp.rom -> Trojan.Wow : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm3F.tmp.rom -> Trojan.Wow : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm4.tmp.rom -> Trojan.Wow : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm5.tmp.rom -> Trojan.Wow : Cleaned with backup (quarantined).
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm8.tmp.rom -> Trojan.Wow : Cleaned with backup (quarantined).
D:\WINDOWS\system32\MDserivces\services\Svchost.dll -> Trojan.Zapchast.ct : Cleaned with backup (quarantined).


::Report end

appreciate if u could advice:D
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 9th, 2007, 7:28 am

Looks as if you have a new variant of a trojan our experts need to see.
Please upload this file for me so they can examine it. This will only take a few minutes of your time and help us and others along the way.

Go to this site
. Fill in the required information Name and e mail address
  • In the subject box type or copy in

    D:\WINDOWS\Kernel32.exe
  • In the large message box copy this link.

    Code: Select all
    http://forum.malwareremoval.com/viewtopic.php?p=169680#169680 

  • Type in the Visual verification.
  • Down on the bottom where the browse button is
    Just copy and paste this in the box for ATTACH

    D:\WINDOWS\Kernel32.exe
  • click post. that's it!

__________________
Now lets get rid of this !

___________________________________
DISABLE Spyware Doctor
It is a good program, but ... it may hinder the removal of some HijackThis entries. You can re-enable it after you're clean.
From within Spyware Doctor, click the "OnGuard" button on the left side.
Uncheck "Activate OnGuard".



______________________________
HJT
Run hijackthis and choose scan only and place a check by the following lines if present.
Close all other windows and browsers except HJT before clicking on Fix Checked



R3 - URLSearchHook: f051 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - D:\WINDOWS\system32\437cntos.dll
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - D:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll

O2 - BHO: HelpIE Class - {589A6FED-A214-4FE3-8D1E-CD07BC634D89} - D:\WINDOWS\system32\HelpIE.dll
O2 - BHO: (no name) - {79aeef31-0df2-47d7-8b0d-4e03f37a8dbf} - D:\WINDOWS\system32\47d7cfsb.dll
O2 - BHO: (no name) - {f52c6442-f051-437c-ae2b-1b294ae19f4f} - D:\WINDOWS\system32\437cntos.dll
O3 - Toolbar: f051 - {DFCB34B6-902D-426E-AE2B-1B294AE19F4F} - D:\WINDOWS\system32\437cntos.dll
O4 - HKLM\..\Run: [msccrt] D:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [kernel32] D:\WINDOWS\Kernel32.exe
O4 - HKLM\..\Run: [qlsreq96] %systemroot%\system32\Rundll32.exe "%systemroot%\system32\qlsreq96.dll",Start
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [wr] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O23 - Service: BF74F43E - Unknown owner - D:\WINDOWS\system32\BF74F43E.EXE (file missing)



____________________________
Please download the Killbox by Option^Explicit

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\DOCUMENETS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\Temp\Servere.exe
D:windows\system32\qlsreq96.dll
D:\WINDOWS\Kernel32.exe
D:\WINDOWS\msccrt.exe
D:\WINDOWS\system32\437cntos.dll
D:\WINDOWS\system32\47d7cfsb.dll


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.




_________________________________
Please do an online scan with Kaspersky Online Scanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

______________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Kasperskys
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida

Unread postby godpig » April 9th, 2007, 7:46 am

hi, no problem in "sharing" the problem i haf...so more ppl can avoid..i will try to do te steps u advise asap...as i haf to rush through some assignment nw...tks alot again!!
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby dvk01 » April 9th, 2007, 8:07 am

D:\WINDOWS\Kernel32.exe is a WOW password stealer
dvk01
Visiting Staff
 
Posts: 6
Joined: May 26th, 2005, 3:50 pm

Unread postby godpig » April 9th, 2007, 9:23 am

hi, tis few warnings keep on popping up on my screen through AVG virus prompt, and even when i click "Heal" or "Move to Vault", it will pop back on in a few mins time again...-_-

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\5.exe
Trojan horse PSW.Generic3.JNR

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Rav30.dll
Trojan horse PSW.Generic.UWW

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\4.exe
Trojan horse PSW.Generic3.UXR

the only time it wont come on will b when i shutdwn AVG services
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 9th, 2007, 9:23 am

dvk01 wrote:D:\WINDOWS\Kernel32.exe is a WOW password stealer


oic..lucky im nt playing WOW
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 9th, 2007, 10:08 am

hmmm...meanwhile waiting for the scan....the avg is having more n more pop ups of different trojans detected....wat is happening~~no matter wat i click, the trojans will pop back up..n nw even got 2 or 3 more new trojan threat detected!!

D:\WINDOWS\system32\lrtbc.dll
Trojan horse Downloaded.Agent.IOP

D:\WINDOWS\system32\wbem\ydpuq.dll
Trojan horse Downloader.......

and a few more coming upz...

omg
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby godpig » April 9th, 2007, 10:10 am

below is the logs of HJT n kasperscan

Logfile of HijackThis v1.99.1
Scan saved at 10:09:37 PM, on 4/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
D:\Program Files\ABIT\ABIT Manager\abiteq.exe
D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Spyware Doctor\sdhelp.exe
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\WgaTray.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\mspaint.exe
D:\WINDOWS\System32\svchost.exe
D:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = "http://runonce.msn.com/?v
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com.sg:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - D:\Documents and Settings\All Users\Application Data\Microsoft\PCTools\pctools.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: HelpIE Class - {589A6FED-A214-4FE3-8D1E-CD07BC634D89} - D:\WINDOWS\system32\HelpIE.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ABITManager] D:\Program Files\ABIT\ABIT Manager\ABITManager.exe
O4 - HKLM\..\Run: [ABITEQ] D:\Program Files\ABIT\ABIT Manager\abiteq.exe -M
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [xzhfhtcwixk] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by119fd.bay119.hotmail.msn.com/r ... nPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{678B4F31-AB23-40EA-A3DD-B9FCDB9EA25A}: NameServer = 202.156.1.48,202.156.1.68
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - D:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 09, 2007 10:08:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/04/2007
Kaspersky Anti-Virus database records: 292847
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 29671
Number of viruses found: 11
Number of infected objects: 38 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:42:47

Infected Object Name / Virus Name / Last Action
C:\DL\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
C:\DL\mirc616.exe mIRC: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\!KillBox\Kernel32.exe Infected: Trojan-PSW.Win32.WOW.qm skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\cert8.db Object is locked skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\formhistory.dat Object is locked skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\history.dat Object is locked skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\key3.db Object is locked skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\parent.lock Object is locked skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\search.sqlite Object is locked skipped
D:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\urlclassifier2.sqlite Object is locked skipped
D:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\Cache\_CACHE_001_ Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\Cache\_CACHE_002_ Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\Cache\_CACHE_003_ Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\lxr6x2n8.default\Cache\_CACHE_MAP_ Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007040920070410\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\1271625.exe Infected: Trojan-Dropper.Win32.Small.awk skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll Object is locked skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp3.tmp.rom Infected: Trojan-PSW.Win32.WOW.qm skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp4.tmp.rom Infected: Trojan-PSW.Win32.WOW.qm skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom Infected: Trojan-PSW.Win32.WOW.qm skipped
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm3.tmp.rom Infected: Trojan-PSW.Win32.WOW.qm skipped
D:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20070409-205825-766.dll Infected: not-a-virus:AdWare.Win32.BHO.cf skipped
D:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
D:\Documents and Settings\All Users\Templates\temp.exe Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-04-09.21-05-29.log Object is locked skipped
D:\Program Files\Internet Explorer\InfoMs.tdm Infected: Trojan-PSW.Win32.Delf.kt skipped
D:\Program Files\Internet Explorer\InfoMs.tp3 Infected: Trojan-PSW.Win32.Delf.kt skipped
D:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\WINDOWS\bar.exe/data0002 Infected: Trojan-Clicker.Win32.Agent.io skipped
D:\WINDOWS\bar.exe NSIS: infected - 1 skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{8113AD64-0CE8-4ABD-B20C-E5B39C9D6042}.bin Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\1010s.exe/stream/data0002/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\system32\1010s.exe/stream/data0002/stream/data0003 Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\system32\1010s.exe/stream/data0002/stream Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\system32\1010s.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\system32\1010s.exe/stream Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\system32\1010s.exe NSIS: infected - 5 skipped
D:\WINDOWS\system32\ad_1485.exe/data0002 Infected: not-a-virus:AdWare.Win32.Boran.ae skipped
D:\WINDOWS\system32\ad_1485.exe NSIS: infected - 1 skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\dodolook133.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.o skipped
D:\WINDOWS\system32\dodolook133.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Cinmus.o skipped
D:\WINDOWS\system32\dodolook133.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cinmus.o skipped
D:\WINDOWS\system32\dodolook133.exe NSIS: infected - 3 skipped
D:\WINDOWS\system32\drivers\ndcia.sys Object is locked skipped
D:\WINDOWS\system32\drivers\romman.sys Object is locked skipped
D:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
D:\WINDOWS\system32\drivers\sptd8365.sys Object is locked skipped
D:\WINDOWS\system32\drivers\stdio.sys Object is locked skipped
D:\WINDOWS\system32\drivers\tnswgk39.sys Object is locked skipped
D:\WINDOWS\system32\drivers\usb8028.sys Infected: not-a-virus:AdWare.Win32.WSearch.n skipped
D:\WINDOWS\system32\drivers\vaxscsi.sys Object is locked skipped
D:\WINDOWS\system32\gb01.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.av skipped
D:\WINDOWS\system32\gb01.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.av skipped
D:\WINDOWS\system32\gb01.exe NSIS: infected - 2 skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\HelpIE.dll Infected: not-a-virus:AdWare.Win32.BHO.cf skipped
D:\WINDOWS\system32\MDserivces\services\reg.exe Object is locked skipped
D:\WINDOWS\system32\mshtmlsed.exe Infected: not-a-virus:AdWare.Win32.BHO.cf skipped
D:\WINDOWS\system32\trtbc.dll Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\ydpuq.dll Object is locked skipped
D:\WINDOWS\Temp\base.exe/stream/data0001 Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\Temp\base.exe/stream/data0003 Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\Temp\base.exe/stream Infected: Trojan-Downloader.Win32.Agent.bcd skipped
D:\WINDOWS\Temp\base.exe NSIS: infected - 3 skipped
D:\WINDOWS\Temp\base.exe UPX: infected - 3 skipped
D:\WINDOWS\Temp\base.exe PE_Patch.UPX: infected - 3 skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
godpig
Regular Member
 
Posts: 23
Joined: April 6th, 2007, 3:43 pm

Unread postby Bob4 » April 9th, 2007, 11:03 am

Just have to ask to be sure.
You are disabling Spyware doctor before you run the fixes ?

Have you installed Mirc ??
C:\DL\mirc616.exe



___________________________________________________
. Please download The Avenger by Swandog46 to your Desktop.

Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text in bold contained in the code box below to your Clipboard by highlighting it and right clicking and then copy:


Files to delete:
D:\Documents and Settings\Administrator\Local Settings\Temp\1271625.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\4.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\5.exe
D:\Documents and Settings\Administrator\Local Settings\Temp\Rav31.dll
D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp3.tmp.rom
D:\Documents and Settings\Administrator\Local Settings\Temp\Tmp4.tmp.rom
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm2.tmp.rom
D:\Documents and Settings\Administrator\Local Settings\Temp\~Tm3.tmp.rom
D:\WINDOWS\bar.exe
D:\Documents and Settings\All Users\Templates\temp.exe
D:\Program Files\Internet Explorer\InfoMs.tdm
D:\Program Files\Internet Explorer\InfoMs.tp3
D:\WINDOWS\system32\dodolook133.exe
D:\WINDOWS\system32\drivers\ndcia.sys
D:\WINDOWS\system32\drivers\romman.sys
D:\WINDOWS\system32\drivers\usb8028.sys
D:\WINDOWS\system32\1010s.exe
D:\WINDOWS\system32\ad_1485.exe
D:\WINDOWS\system32\gb01.exe
D:\WINDOWS\system32\HelpIE.dll
D:\WINDOWS\system32\mshtmlsed.exe
D:\WINDOWS\system32\trtbc.dll
D:\WINDOWS\Temp\base.exe
D:\WINDOWS\system32\HelpIE.dll
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Servere.exe



Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.

4. Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.) [*] On reboot, briefly open a black command window on your desktop, this is normal.[*] After the restart, create a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt[*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.[/list]

5. Please copy/paste the content of avenger.txt into your reply.


_____________________________
Submit a file to Jotti
Please go here : http://virusscan.jotti.org/
On top of the page there is a field to add the filepath, copy and paste these filepaths: 1 at a time.

Post the results of each.



D:\WINDOWS\system32\drivers\tnswgk39.sys

D:\WINDOWS\system32\wbem\ydpuq.dll

Then hit Submit
The scan will take a while before the result comes up so please be patient.
Then copy the results (2) and post it here in this thread.

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustotal.com/xhtml/index_en.html



___________________________

1. Download Combo fix from one of these locations.
http://www.techsupportforum.com/sectool ... mboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

]combofix.exe[/url]
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


______________________
Download and Save Blacklight to your desktop:


  • Doubleclick on blbeta.exe.
  • Click on Scan.
  • Once the Scan is Finished, click on Next.
  • Click on Exit.
    A new document will be produced on the desktop.
    Open this document with Notepad.
  • Copy and Paste its contents your next reply.


In your next reply I would like to see:
  • A new HJT log
  • The report from JOTTIS
  • The report from combo scan
  • The report from Avenger.txt
  • The report from Blacklight
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6073
Joined: November 12th, 2005, 11:26 am
Location: Florida
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 288 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware