Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Removal Of Win32.trojandownloader.adload


  • Please log in to reply
9 replies to this topic

#1 gqlegacy

gqlegacy

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 24 July 2007 - 03:55 AM

Hello all,

This is my first post, I hope I don't disappoint anyone, cause I haven't seen a clear instructional yet on how to get rid of the irritating poop-up trojan win32.trojandownloader.adload. Any help as to getting rid of this would be wonderful, even if you had to point me to a thread. I have searched for 5 hours, and haven't found anything clear yet. Thanks!

Here is an email I just sent to someone who solved a simliar issue with someone else...
The HiJack This Log is at the bottom as well as an error message I keep getting everytime I launch HiJackThis 'Scan'.

-------------------------------------------------------------------------

Hello,

I found your email in the HiJack This Forum, after seeing you help someone else of a similar problem.

I received an error message when trying to scan a log of my system. I am trying to get rid of these annoying pop ups generated from a trojan that I have (win32.Trojandownloader.adload), but can't seem to get rid of it. I have read many forums trying to find the removal instruction, to no luck thus far, and hours have went by.

One forum said to change the original file of the trojan to:
hold29JUN07atmtd.dll

The original name was:
atmtd.dll (this is the one I changed to 'hold....dll' ... to no luck")

And another similar file was named:
atmtd.dll._

These pop ups are random and seem to activate when I open IE (latest version).

I am very efficient when it comes to instructions, even when I don't know what I am doing.. if explained correctly, I will follow them to the "T". Please help if you can. I have attached my scan log as well as the error message. My operating system is Windows Vista. (I hate it so far) too much security that I don't understand yet, let alone - control. Thanks for your help, if you can get to me!

----------------------------------------------

This is what was copied to my clipboard:

----------------------------------------------

An unexpected error has occurred at procedure: modMain_CheckOther1Item()
Error #75 - Path/File access error

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 6.00.1904
MSIE version: 7.0.6000.16473
HijackThis version: 1.99.1


--------------------------

SCAN LOG:

--------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:58:26 AM, on 7/24/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W5233
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

------


BTW:
I just disabled McAfee due to unwanted security features that I can't control. I wanted to get the Norton instead. Windows Vista isn't helping either. Do you prefer Norton over McAfee? or another? Very open to comments/suggestions/instructions ... at this point.

Thanks for your help!

Nickolas C.
nickolas@csmgonline.com

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 24 July 2007 - 05:31 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum gqlegacy :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#3 gqlegacy

gqlegacy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 24 July 2007 - 03:48 PM

Here you are.... and thanks for your assistance, really appreciated. Everything went smoothly so far.

Nickolas

Attached Files



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 24 July 2007 - 04:10 PM

Remove/uninstall Diner Dash via Add or Remove Programs.

-----------------------------------------------------

Enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Click on the Start button. This is the small round button with the Windows flag in the lower left corner.
3. Click on the Control Panel menu option.
4. When the control panel opens you can either be in Classic View or Control Panel Home view:

If you are in the Classic View do the following:
1. Double-click on the Folder Options icon.
2. Click on the View tab.
3. Go to step 5.

If you are in the Control Panel Home view do the following:
1. Click on the Appearance and Personalization link .
2. Click on Show Hidden Files or Folders.
3. Go to step 5.

5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now Windows Vista is configured to show all hidden files.

---------------------------------------------------

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\Windows\system32\drivers\core.sys
C:\Windows\uninstall_nmon.vbs
C:\Windows\Tmlja29sYXM

Restart your pc normally.

---------------------------------------------------

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
Exit Hijackthis.

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.

----------------------------------------------------

Please download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

You should copy/print the following because you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE" using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:
* Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
* Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
* Once the short scan has finished, Click Options > Change settings
* Choose the "Scan tab" and UNcheck "Heuristic analysis"
* Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
* Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
* When done, a message will be displayed at the bottom advising if any viruses were found.
* Click "Yes to all" if it asks if you want to cure/move the file.
* When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
(This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
* Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
* Save the DrWeb.csv report to your desktop.
* Exit Dr.Web Cureit when done.
* Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
* After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Also post a fresh Hijackthis log.
*Please Note*
Post all replies directly into this topic,not as attachments,thanks.
Posted Image
Posted Image

#5 gqlegacy

gqlegacy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 24 July 2007 - 04:36 PM

Thanks... I'm on it.

#6 gqlegacy

gqlegacy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 24 July 2007 - 11:55 PM

Here are the results, btw: the Dr. Web Log took forever... and it seems like it should have produced a longer result, but I guess not...


------------------------------------------------------

DrWeb-CureIt Log:

keygen.exe;C:\Documents and Settings\Nickolas Crawford\Power ISO 3.7 Download;Trojan.DownLoader.26881;Deleted.;

------------------------------------------------------

HiJack This:

Everytime I launch HiJack This, I get this error message:

For some reason, your system denied write access to the Hosts file. If any hijacked domains are in this file, HiJack This may NOT be able to fix this.

If that happens, you need to edit the file yourself. To do this, click start, Run and type:

"C:\Windows\System32\drivers\etc\hosts"

and press Enter. Find the link(s) HiJack This reports and delete them. Save the files as "hosts." (with quotes), and reboot.



When I press OK the next error comes up, the same one that I mentioned in the previous message - Error #75 - Path File access error.

It then asked me "Do you want I wanted to create a new file?"

After this one came up, I clicked "cancel" because I didn't know if I should click "Yes" or "No"

LOG FILE:

Logfile of HijackThis v1.99.1
Scan saved at 9:52:44 PM, on 7/24/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\zHotkey.exe
C:\Windows\ModPS2Key.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Windows\ehome\ehtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEUser.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch...DTP&M=W5233
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html?Ch...DTP&M=W5233
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\google\BAE.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [ModPS2] ModPS2Key.exe
O4 - HKLM\..\Run: [BigFix] c:\program files\Bigfix\bigfix.exe /atstartup
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SQL Server (MSSMLBIZ) (MSSQL$MSSMLBIZ) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ (file missing)
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe




------------------------------------------------------

SUPERAntiSpyware Scan Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2007 at 05:17 PM

Application Version : 3.9.1008

Core Rules Database Version : 3273
Trace Rules Database Version: 1284

Scan type : Complete Scan
Total Scan Time : 00:40:23

Memory items scanned : 457
Memory threats detected : 0
Registry items scanned : 7028
Registry threats detected : 0
File items scanned : 89066
File threats detected : 67

Adware.Tracking Cookie
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@www.burstnet[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@trafficmp[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@advertising[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@overture[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@adbrite[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@hitbox[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@ad.103092804[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@cpvfeed[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@tribalfusion[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@questionmarket[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@ehg-myspaceinc.hitbox[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@fastclick[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@atdmt[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@ad.yieldmanager[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@pch.122.2o7[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@doubleclick[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@adrevolver[1].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@realmedia[2].txt
C:\Users\Nickolas\AppData\Roaming\Microsoft\Windows\Cookies\nickolas@ads.adbrite[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@2o7[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@3.adbrite[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@4.adbrite[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@ad.yieldmanager[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@ad1.clickhype[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@adbrite[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@adinterax[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@adrevolver[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@ads.adbrite[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@ads.addynamix[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@adserving.cpxinteractive[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@advertising[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@atdmt[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@bs.serving-sys[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@casalemedia[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@clicktorrent[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@cpvfeed[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@doubleclick[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@ehg-maniatv.hitbox[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@ehg-myspaceinc.hitbox[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@fastclick[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@hitbox[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@interclick[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@media.adrevolver[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@mediaplex[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@msnportal.112.2o7[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@overture[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@pch.122.2o7[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@questionmarket[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@revenue[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@server.iad.liveperson[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@server.iad.liveperson[3].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@serving-sys[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@statcounter[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@trafficmp[2].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@tribalfusion[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@yadro[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\Low\nickolas_crawford@zedo[1].txt
C:\Users\Nickolas Crawford\AppData\Roaming\Microsoft\Windows\Cookies\nickolas_crawford@findwhat[1].txt

Adware.Adservs
C:\Windows\system32\atmtd.dll._

Trojan.NetMon/DNSChange
C:\Program Files\Network Monitor

Trojan.Unknown Origin
C:\$RECYCLE.BIN\S-1-5-21-430278183-2791713437-3591342387-1000\$R8PU7JJ\NA53UZ6PSRG.VBS
C:\$RECYCLE.BIN\S-1-5-21-430278183-2791713437-3591342387-1000\$RYUJPB0.VBS

Trojan.Rootkit-TnCore
C:\$RECYCLE.BIN\S-1-5-21-430278183-2791713437-3591342387-1000\$RFTJ4RX.SYS

Trojan.Downloader-Gen/Installer
C:\WINDOWS\B104.EXE
C:\WINDOWS\B136.EXE
C:\Windows\Prefetch\B104.EXE-A2DF475D.pf
C:\Windows\Prefetch\B136.EXE-F9E2101E.pf


------------------------------------------------------

#7 gqlegacy

gqlegacy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 25 July 2007 - 12:06 AM

I just got this LOG from Ad-Aware Se Personal and noticed that the Trojans are still there. How shall I proceed.


Ad-Aware SE Build 1.06r1
Logfile Created on:Tuesday, July 24, 2007 10:02:32 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R182 23.07.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):17 total references
Tracking Cookie(TAC index:3):2 total references
Win32.TrojanDownloader.Adload(TAC index:10):2 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


7-24-2007 10:02:32 PM - Scan started. (Smart mode)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [taskeng.exe]
FilePath : C:\Windows\system32\
ProcessID : 2428
ThreadCreationTime : 7-25-2007 4:07:58 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskEng
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : taskeng.exe.mui

#:2 [dwm.exe]
FilePath : C:\Windows\system32\
ProcessID : 2452
ThreadCreationTime : 7-25-2007 4:07:58 AM
BasePriority : High
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Desktop Window Manager
InternalName : dwm.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : dwm.exe.mui

#:3 [explorer.exe]
FilePath : C:\Windows\
ProcessID : 2520
ThreadCreationTime : 7-25-2007 4:07:58 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE.MUI

#:4 [msascui.exe]
FilePath : C:\Program Files\Windows Defender\
ProcessID : 2772
ThreadCreationTime : 7-25-2007 4:08:03 AM
BasePriority : Normal
FileVersion : 1.1.1505.0
ProductVersion : 1.1.1505.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe

#:5 [igfxtray.exe]
FilePath : C:\Windows\System32\
ProcessID : 2784
ThreadCreationTime : 7-25-2007 4:08:03 AM
BasePriority : Normal
FileVersion : 7.14.10.1227
ProductVersion : 7.14.10.1227
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxTray Module
InternalName : IGFXTRAY
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : IGFXTRAY.EXE

#:6 [hkcmd.exe]
FilePath : C:\Windows\System32\
ProcessID : 2792
ThreadCreationTime : 7-25-2007 4:08:03 AM
BasePriority : Normal
FileVersion : 7.14.10.1227
ProductVersion : 7.14.10.1227
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : HKCMD.EXE

#:7 [igfxpers.exe]
FilePath : C:\Windows\System32\
ProcessID : 2800
ThreadCreationTime : 7-25-2007 4:08:03 AM
BasePriority : Normal
FileVersion : 7.14.10.1227
ProductVersion : 7.14.10.1227
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : persistence Module
InternalName : PERSISTENCE
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : IGFXPERS.EXE

#:8 [rthdvcpl.exe]
FilePath : C:\Windows\
ProcessID : 2808
ThreadCreationTime : 7-25-2007 4:08:03 AM
BasePriority : Normal
FileVersion : 1, 0, 0, 21
ProductVersion : 1, 0, 0, 21
ProductName : HD Audio Control Panel
CompanyName : Realtek Semiconductor
FileDescription : HD Audio Control Panel
InternalName : RtHDVCpl.exe
LegalCopyright : 2006 © Realtek Semiconductor. All rights reserved.
OriginalFilename : RtHDVCpl.exe

#:9 [zhotkey.exe]
FilePath : C:\Windows\
ProcessID : 2840
ThreadCreationTime : 7-25-2007 4:08:03 AM
BasePriority : Normal
FileVersion : 3, 0, 0, 10
ProductVersion : 3, 0, 0, 0
ProductName : Multimedia Keyboard Driver
FileDescription : Multimedia Keyboard Driver
InternalName : Multimedia Hotkey Driver
LegalCopyright : Copyright © 2006.
OriginalFilename : mHotkey.res

#:10 [modps2key.exe]
FilePath : C:\Windows\
ProcessID : 2932
ThreadCreationTime : 7-25-2007 4:08:04 AM
BasePriority : Normal
FileVersion : 4, 2, 0, 0
ProductVersion : 3, 2, 0, 0
ProductName : Hotkey Driver
CompanyName : Chicony
FileDescription : AccessL
InternalName : AccessL
LegalCopyright : Copyright c 2005
OriginalFilename : AccessL.exe

#:11 [acrotray.exe]
FilePath : C:\Program Files\Adobe\Acrobat 7.0\Distillr\
ProcessID : 2948
ThreadCreationTime : 7-25-2007 4:08:04 AM
BasePriority : Normal
FileVersion : 6.0.1.2004121400
ProductVersion : 6.0.1.2004121400
ProductName : AcroTray - Adobe Acrobat Distiller helper application.
CompanyName : Adobe Systems Inc.
FileDescription : AcroTray
InternalName : AcroTray
LegalCopyright : Copyright 1984-2004 Adobe Systems Incorporated and its licensors. All rights reserved.
OriginalFilename : AcroTray.exe

#:12 [pwrisovm.exe]
FilePath : C:\Program Files\PowerISO\
ProcessID : 2956
ThreadCreationTime : 7-25-2007 4:08:04 AM
BasePriority : Normal
FileVersion : 3, 7, 0, 0
ProductVersion : 3, 7, 0, 0
ProductName : PowerISO Virtual Drive Manager
CompanyName : PowerISO Computing, Inc.
FileDescription : PowerISO Virtual Drive Manager
InternalName : PowerISO Virtual Drive Manager
LegalCopyright : Copyright © 2004-2007
OriginalFilename : PWRISOVM.EXE
Comments : http://www.poweriso.com

#:13 [ehtray.exe]
FilePath : C:\Windows\ehome\
ProcessID : 2964
ThreadCreationTime : 7-25-2007 4:08:05 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Tray Applet
InternalName : ehtray.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehtray.exe

#:14 [superantispyware.exe]
FilePath : C:\Program Files\SUPERAntiSpyware\
ProcessID : 2972
ThreadCreationTime : 7-25-2007 4:08:05 AM
BasePriority : Normal
FileVersion : 3, 9, 0, 1008
ProductVersion : 3, 9, 0, 1008
ProductName : SUPERAntiSpyware
CompanyName : SUPERAntiSpyware.com
FileDescription : SUPERAntiSpyware
InternalName : SUPERAntiSpyware
LegalCopyright : Copyright © 2005-2007 by SUPERAntiSpyware.com and SUPERAdBlocker.com
OriginalFilename : SUPERAntiSpyware.exe

#:15 [ehmsas.exe]
FilePath : C:\Windows\ehome\
ProcessID : 3156
ThreadCreationTime : 7-25-2007 4:08:13 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Media Center Media Status Aggregator Service
InternalName : eHMSAS.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ehMSAS.exe.mui

#:16 [igfxsrvc.exe]
FilePath : C:\Windows\system32\
ProcessID : 3176
ThreadCreationTime : 7-25-2007 4:08:14 AM
BasePriority : Normal
FileVersion : 7.14.10.1227
ProductVersion : 7.14.10.1227
ProductName : Intel® Common User Interface
CompanyName : Intel Corporation
FileDescription : igfxsrvc Module
InternalName : IGFXSRVC
LegalCopyright : Copyright 1999-2006, Intel Corporation
OriginalFilename : IGFXSRVC.EXE

#:17 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 2276
ThreadCreationTime : 7-25-2007 4:26:47 AM
BasePriority : Normal
FileVersion : 7.00.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 7.00.6000.16386
ProductName : Windows® Internet Explorer
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE.MUI

#:18 [ieuser.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3436
ThreadCreationTime : 7-25-2007 4:26:47 AM
BasePriority : Normal
FileVersion : 6.0.6000.16386 (vista_rtm.061101-2205)
ProductVersion : 6.0.6000.16386
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : ieuser.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : ieuser.exe.mui

#:19 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3220
ThreadCreationTime : 7-25-2007 5:02:13 AM
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nickolas@overture[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:nickolas@overture.com/
Expires : 7-21-2017 9:26:50 PM
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : nickolas@real[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:nickolas@real.com/
Expires : 9-22-2007 2:14:36 PM
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 2
Objects found so far: 2



Deep scanning and examining files...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\Windows
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 2

Win32.TrojanDownloader.Adload Object Recognized!
Type : File
Data : atmtd.dll._
TAC Rating : 10
Category : Virus
Comment :
Object : C:\Windows\system32\



Win32.TrojanDownloader.Adload Object Recognized!
Type : File
Data : hold29jun07atmtd.dll
TAC Rating : 10
Category : Virus
Comment :
Object : C:\Windows\system32\



Disk Scan Result for C:\Windows\system32
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

Disk Scan Result for C:\Users\Nickolas\AppData\Local\Temp\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4

MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-430278183-2791713437-3591342387-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk



Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21

10:03:35 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:01:03.80
Objects scanned:100865
Objects identified:4
Objects ignored:0
New critical objects:4

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 25 July 2007 - 05:49 AM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text:

Files to delete:
C:\Windows\system32\atmtd.dll._
C:\Windows\system32\hold29jun07atmtd.dll


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt when you've done.
Posted Image
Posted Image

#9 gqlegacy

gqlegacy
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:20 PM

Posted 25 July 2007 - 03:46 PM

After downloading and unzipping to my Desktop, I attempted to execute the file - a compatibility error came up:

Fatal error: unsupported version of Windows! This Program will run only on Windows 2000 or XP.


Is there another version for my os (Windows Vista)?

If not, how would you like me to proceed?

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:10:20 PM

Posted 26 July 2007 - 04:12 AM

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\Windows\system32\atmtd.dll._
C:\Windows\system32\hold29jun07atmtd.dll

Rescan with Ad-Aware and post the new log please.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users