Pls Help Me From These

Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

BleepingComputer.com > Security > HijackThis Logs and Virus/Trojan/Spyware/Malware Removal > Misplaced HJT Logs

Pls Help Me From These, Generic! atr , w32/autorun.worm.bn, PWS.onlinegames.a

Options

Nick001 View Member Profile	Jan 19 2008, 07:21 AM Post #1
New Member Group: Members Posts: 5 Joined: 19-January 08 From: Delhi Member No.: 184,544	These 3 trojans or worm infected my PC. Now i can't unhide my Hidden files as well as when i double click on my hard drive it open in other window not in same window. Please tell me wht i do????

quietman7 View Member Profile	Jan 19 2008, 10:23 AM Post #2
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	From what you describe, it appears to be a flash drive infection. Symptoms include the inability to open drives/partitions. Flash drive infections usually involve malware that loads an autorun.inf file into the root folder of all drives (internal, external, removable). When the removable media is inserted, autorun looks for autorun.inf and automatically executes a malicious autorun.bat file which calls wscript.exe to run autorun.vbs on your computer. When a flash drive becomes infected, the Trojan will infect a system when the removable media is inserted if autorun has not been disabled. Please insert your flash drive before we begin! Download Flash_Disinfector.exe by sUBs and save it to your desktop. Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear. The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well. Wait until it has finished scanning and then exit the program. Reboot your computer when done. Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that is plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection. When done remove any Startup RUN value by downloading and using Autoruns. Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet. Please download and install SUPERAntiSpyware Free Double-click SUPERAntiSypware.exe and use the default settings for installation. An icon will be created on your desktop. Double-click that icon to launch the program. If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here and unzip into the program's folder.) Under the "Configuration and Preferences", click the Preferences... button. Click the "*General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked. Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked): Close browsers before scanning.* Scan for tracking cookies. Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen and exit the program. Do not run a scan just yet. Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Scan with SUPERAntiSpyware as follows: Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer. On the left, make sure you check C:\Fixed Drive. On the right, under "Complete Scan", choose *Perform Complete Scan* and click "Next". After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK". Make sure everything has a checkmark next to it and click "Next". A notification will appear that "*Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu. If asked if you want to reboot, click "Yes" and reboot normally. To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.* Under Scanner Logs, double-click SUPERAntiSpyware Scan Log. If there are several logs, click the current dated log and press View log. A text file will open in your default text editor. Please copy and paste the Scan Log results in your next reply. Click Close to exit the program. Then download and scan with Dr.Web CureIt. Follow the instructions here for performing a scan in "safe mode". -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

Nick001 View Member Profile	Jan 21 2008, 04:39 AM Post #3
New Member Group: Members Posts: 5 Joined: 19-January 08 From: Delhi Member No.: 184,544	Dear Quietman7, thanks for ur work. I do wht u say!!! now check this My Hijack File and Dr Cure it File :- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:03:09 PM, on 1/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe c:\program files\mcafee.com\agent\mcdetect.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\PROGRA~1\mcafee.com\agent\mctskshd.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\SiteAdvisor\6253\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\NETGEAR\WG311v3\WinDomainlogon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wuauclt.exe C:\Program Files\SiteAdvisor\6253\SiteAdv.exe C:\Program Files\McAfee.com\VSO\mcvsshld.exe C:\Program Files\McAfee.com\VSO\oasclnt.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe D:\Program Files\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Microsoft Office\Office12\EXCEL.EXE C:\Documents and Settings\Administrator\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - D:\Program Files\rpbrowserrecordplugin.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = ? O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.bitstream.com/wfplayer/tdserver.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{36907705-774B-486B-93E3-0660517A3315}: NameServer = 59.179.243.70,203.94.243.70 O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe -- End of file - 7830 bytes Dr Cute File log:- m1t8ta.com;C:\;Trojan.MulDrop.6474;Deleted.; vx4cdqn.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Nsanti.Packed;Deleted.; ud.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Nsanti.Packed;Deleted.; slun.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Nsanti.Packed;Deleted.; 4.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Nsanti.Packed;Deleted.; eaxbit.dll;C:\Documents and Settings\Administrator\Local Settings\Temp;Trojan.Nsanti.Packed;Deleted.; A0000058.dll;C:\System Volume Information\_restore{739E7A2D-28B8-4001-8899-E08D8A06F75A}\RP3;Trojan.PWS.Wsgame.2387;Deleted.; A0000074.com;C:\System Volume Information\_restore{739E7A2D-28B8-4001-8899-E08D8A06F75A}\RP3;Trojan.MulDrop.6474;Deleted.; FILE0001.CHK;C:\FOUND.029;Trojan.MulDrop.6474;Deleted.; m1t8ta.com;D:\;Trojan.MulDrop.6474;Deleted.; A0000075.com;D:\System Volume Information\_restore{739E7A2D-28B8-4001-8899-E08D8A06F75A}\RP3;Trojan.MulDrop.6474;Deleted.; m1t8ta.com;E:\;Trojan.MulDrop.6474;Deleted.; A0000076.com;E:\System Volume Information\_restore{739E7A2D-28B8-4001-8899-E08D8A06F75A}\RP3;Trojan.MulDrop.6474;Deleted.; Desktopfun.EXE;E:\Photos\New Folder\New Folder\New Folder\songs\Pix\New Folder\FUN;Joke.Puncher;Incurable.Moved.; Britney Spears.scr\data001;E:\Photos\New Folder\New Folder\New Folder\songs\Pix\New Folder\FUN\screensaver\Britney Spears.scr;Adware.TimeSink;; Britney Spears.scr\data002;E:\Photos\New Folder\New Folder\New Folder\songs\Pix\New Folder\FUN\screensaver\Britney Spears.scr;Adware.TSAdvert;; Britney Spears.scr\data003;E:\Photos\New Folder\New Folder\New Folder\songs\Pix\New Folder\FUN\screensaver\Britney Spears.scr;Adware.TSAdvert;; Britney Spears.scr\data005;E:\Photos\New Folder\New Folder\New Folder\songs\Pix\New Folder\FUN\screensaver\Britney Spears.scr;Adware.TimeSink;; Britney Spears.scr;E:\Photos\New Folder\New Folder\New Folder\songs\Pix\New Folder\FUN\screensaver;Archive contains infected objects;Moved.; m1t8ta.com;F:\;Trojan.MulDrop.6474;Deleted.; A0000078.com;F:\System Volume Information\_restore{739E7A2D-28B8-4001-8899-E08D8A06F75A}\RP3;Trojan.MulDrop.6474;Deleted.; SUPERAntispyware log :- SUPERAntiSpyware Scan Log http://www.superantispyware.com Generated 01/21/2008 at 01:06 PM Application Version : 3.9.1008 Core Rules Database Version : 3384 Trace Rules Database Version: 1378 Scan type : Complete Scan Total Scan Time : 01:48:08 Memory items scanned : 173 Memory threats detected : 0 Registry items scanned : 5891 Registry threats detected : 0 File items scanned : 39272 File threats detected : 2 Adware.Tracking Cookie C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@ads.cooltoad[1].txt C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\administrator@apmebf[1].txt Waiting for ur reply!!!!!!

quietman7 View Member Profile	Jan 21 2008, 08:20 AM Post #4
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not. Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system. Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. The last step will include downloading and using the most current version of HijackThis if the first line of your log does not appear as follows: Logfile of Trend Micro HijackThis v2.0.2 Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log. Please DO NOT post any more logs to this topic, or post a log again in the wrong forum. The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for. When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done. Thanks for your cooperation and good luck. The BC Staff -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

quietman7 View Member Profile	Jan 22 2008, 01:10 PM Post #5
Bleepin' Janitor Group: Global Moderator Posts: 14,074 Joined: 9-July 05 From: Virginia, USA Member No.: 26,513	I see your hijackthis log is posted here and you are already getting assistance. From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean. To avoid confusion, I am closing this topic. Thanks for your cooperation and good luck with your log. -------------------- "THE BAD GUYS DON'T NEED A SEARCH WARRANT. ARE YOU PROTECTED?" Microsoft MVP - Windows Security 2007-2009

« Next Oldest · Misplaced HJT Logs · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Display Mode: Standard · Switch to: Linear+ · Switch to: Outline

Track this topic · Email this topic · Print this topic · Subscribe to this forum

Lo-Fi Version

Time is now: 9th January 2009 - 04:48 AM

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Malware Removal Guides