Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan Horse Psw. Online Games 2


  • This topic is locked This topic is locked
7 replies to this topic

#1 Koshi

Koshi

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 27 March 2008 - 10:46 AM

hello,
i need help removing this trojan horse from my computer.
thanks!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:39 PM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Stupid Data Dart Wave] C:\Documents and Settings\All Users\Application Data\flag ace stupid data\Cool locks.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKCU\..\Run: [Ball Fork] C:\DOCUME~1\Lyra\APPLIC~1\CAKELO~1\joyplan.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9536 bytes

BC AdBot (Login to Remove)

 


#2 Koshi

Koshi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 29 March 2008 - 11:00 AM

Please... please help me remove this trojan. i would really appreciate it if someone would reply. :thumbsup:

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 29 March 2008 - 11:43 AM

Hi

If you've followed the instructions here :-

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Come back to this thread and Copy & paste any of these logs you have :- ...

1. Housecall log (The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\)

2. Panda Activescan report

3. Bit Defender report

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 Koshi

Koshi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 30 March 2008 - 06:08 AM

Is this what you're asking for?


BitDefender Online Scanner
Scan report generated at: Sun, Mar 30, 2008 - 16:35:09


Scan path: C:\Documents and Settings\Lyra\My Documents;C:\Documents and Settings\All Users\Documents;C:\;


Statistics

Time


00:43:11

Files


180019

Folders


7214

Boot Sectors


5

Archives


3159

Packed Files


17119







Results

Identified Viruses


5

Infected Files


11

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


11







Engines Info

Virus Definitions


1055321

Engine build


AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins


15

Archive plugins


33

Unpack plugins


6

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\al8u.com


Infected with: Trojan.PWS.OnlineGames.SSC

C:\al8u.com


Disinfection failed

C:\al8u.com


Deleted

C:\b.bat


Infected with: Packer.Malware.NSAnti.V

C:\b.bat


Disinfection failed

C:\b.bat


Deleted

C:\Documents and Settings\Lyra\Local Settings\Temp\5.dll


Infected with: Packer.Malware.NSAnti.V

C:\Documents and Settings\Lyra\Local Settings\Temp\5.dll


Disinfection failed

C:\Documents and Settings\Lyra\Local Settings\Temp\5.dll


Deleted

C:\Documents and Settings\Lyra\Local Settings\Temp\Rar$EX01.500\BitDownload Setup.exe=>(NSIS o)=>lzma_solid_nsis0006


Infected with: Trojan.FatObfus.CC

C:\Documents and Settings\Lyra\Local Settings\Temp\Rar$EX01.500\BitDownload Setup.exe=>(NSIS o)=>lzma_solid_nsis0006


Deleted

C:\Documents and Settings\Lyra\Local Settings\Temp\Rar$EX01.500\BitDownload Setup.exe=>(NSIS o)


Update failed

C:\lg.com


Infected with: Trojan.PWS.OnlineGames.SRL

C:\lg.com


Disinfection failed

C:\lg.com


Deleted

C:\lvhf.cmd


Infected with: Trojan.PWS.OnlineGames.SRL

C:\lvhf.cmd


Disinfection failed

C:\lvhf.cmd


Deleted

C:\ojbss9gv.com


Infected with: Packer.Malware.NSAnti.T

C:\ojbss9gv.com


Disinfection failed

C:\ojbss9gv.com


Deleted

C:\p.bat


Infected with: Trojan.PWS.OnlineGames.SSC

C:\p.bat


Disinfection failed

C:\p.bat


Deleted

C:\ph8at.cmd


Infected with: Packer.Malware.NSAnti.V

C:\ph8at.cmd


Disinfection failed

C:\ph8at.cmd


Deleted

C:\WINDOWS\system32\ieso1.dll


Infected with: Trojan.PWS.OnlineGames.SSC

C:\WINDOWS\system32\ieso1.dll


Disinfection failed

C:\WINDOWS\system32\ieso1.dll


Deleted

C:\WINDOWS\system32\kxvo.exe.vir


Infected with: Trojan.PWS.OnlineGames.SSC

C:\WINDOWS\system32\kxvo.exe.vir


Disinfection failed

C:\WINDOWS\system32\kxvo.exe.vir


Deleted



------------------------

Or do i have to post another Hijack This log?

Thanks so much. :thumbsup:

#5 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 30 March 2008 - 05:18 PM

Hi

Yes that's one I wanted ...do you have the Housecall log or Panda Activescan report ?

If you haven't run them yet, that's OK ... we'll do that later ...


You have many different infections ....


when you go to "My computer" can you doubleclick your drives to open them ?


Please download NoLop.exe from one of the links below and save it to your desktop:

First close any other programs you have running as this fix will require a reboot.

Double-click NoLop.exe to run it.

Now click the button labelled Search and Destroy.

Your computer will now be scanned for infected files.

When scanning is finished you will be prompted to reboot only if infected, click OK.

Now click the REBOOT button.

A message should popup from NoLop. If not, double-click the program again and it will finish.
Please Post the contents of C:\NoLop.log along with a fresh HijackThis log.

If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your system32 folder then rerun the program.


NEXT:

Please download fl.zip

http://www.fbeej.ctrlaltdel.dk/Programmer/fl.zip

and save it to your desktop:

Extract the contents to a new folder on your desktop (right-click the zipped folder and select Extract All).

Within the folder, locate and double-click fl.bat.

It should produce a report at c:\findlop.txt.

Post the contents of the report in your next reply

Don't forget to post :-

1. C:\NoLop.log
2. c:\findlop.txt.
3. A new hijackthis log

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#6 Koshi

Koshi
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 31 March 2008 - 06:40 AM

Hello. i did everything you told me. here are the logs:


NoLop log:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Lyra\Desktop
[3/31/2008]
[7:20:30 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AB015C25902ACF09.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Administrator\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Apple
C:\Documents and Settings\All Users\Application Data\Apple Computer
C:\Documents and Settings\All Users\Application Data\Avg7
C:\Documents and Settings\All Users\Application Data\Azureus
C:\Documents and Settings\All Users\Application Data\Eset
C:\Documents and Settings\All Users\Application Data\Flag Ace Stupid Data
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Grisoft
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Lavasoft
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Pinnacle
C:\Documents and Settings\All Users\Application Data\Playfirst
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Real -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Skype
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Symantec
C:\Documents and Settings\All Users\Application Data\Temp
C:\Documents and Settings\All Users\Application Data\Trymedia
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\All Users\Application Data\Yahoo!
C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Avg7 -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Lyra\Application Data\Adobe
C:\Documents and Settings\Lyra\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Lyra\Application Data\Apple Computer
C:\Documents and Settings\Lyra\Application Data\Avg7
C:\Documents and Settings\Lyra\Application Data\Azureus
C:\Documents and Settings\Lyra\Application Data\Cake Loud Seek
C:\Documents and Settings\Lyra\Application Data\Cyberlink
C:\Documents and Settings\Lyra\Application Data\Google -- EMPTY Directory
C:\Documents and Settings\Lyra\Application Data\Grisoft
C:\Documents and Settings\Lyra\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Lyra\Application Data\Hp
C:\Documents and Settings\Lyra\Application Data\Identities
C:\Documents and Settings\Lyra\Application Data\Intervideo
C:\Documents and Settings\Lyra\Application Data\Leadertech
C:\Documents and Settings\Lyra\Application Data\Macromedia
C:\Documents and Settings\Lyra\Application Data\Media Player Classic
C:\Documents and Settings\Lyra\Application Data\Microsoft
C:\Documents and Settings\Lyra\Application Data\Mozilla
C:\Documents and Settings\Lyra\Application Data\Playfirst
C:\Documents and Settings\Lyra\Application Data\Real
C:\Documents and Settings\Lyra\Application Data\Skype
C:\Documents and Settings\Lyra\Application Data\Skypepm
C:\Documents and Settings\Lyra\Application Data\Spywarestop
C:\Documents and Settings\Lyra\Application Data\Sun
C:\Documents and Settings\Lyra\Application Data\Symantec
C:\Documents and Settings\Lyra\Application Data\Wildfire
C:\Documents and Settings\Lyra\Application Data\Yahoo!
C:\Documents and Settings\Mama\Application Data\Identities
C:\Documents and Settings\Mama\Application Data\Macromedia
C:\Documents and Settings\Mama\Application Data\Microsoft
C:\Documents and Settings\Mama\Application Data\Mozilla
C:\Documents and Settings\Mama\Application Data\Yahoo!
C:\Documents and Settings\Networkservice\Application Data\Microsoft



--------------------------------------------------------------------------------------------------------
c:\findlop.txt log:

Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\Administrator\Application Data

Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\All Users\Application Data

10/12/2007 09:58 PM <DIR> Adobe
12/24/2007 03:37 PM <DIR> Apple
12/24/2007 03:38 PM <DIR> Apple Computer
03/29/2008 11:01 AM <DIR> avg7
03/04/2008 11:17 PM <DIR> Azureus
10/01/2007 10:56 PM <DIR> Eset
12/09/2007 01:50 PM 32 ezsid.dat
03/04/2008 10:57 PM <DIR> flag ace stupid data
11/22/2007 06:29 PM <DIR> Google
11/22/2007 10:05 PM <DIR> Grisoft
11/18/2007 10:35 AM <DIR> HP
11/18/2007 10:39 AM 1,176 hpzinstall.log
03/26/2008 11:41 PM <DIR> Lavasoft
08/03/2006 08:16 PM <DIR> Pinnacle
07/27/2006 08:32 PM <DIR> PlayFirst
03/21/2008 03:42 PM 3,143 QTSBandwidthCache
05/13/2006 11:38 AM <DIR> QuickTime
02/25/2007 08:48 PM <DIR> Real
12/09/2007 01:35 PM <DIR> Skype
03/27/2008 12:35 AM <DIR> Spybot - Search & Destroy
03/22/2008 08:45 PM <DIR> Symantec
03/31/2008 07:24 PM <DIR> TEMP
07/25/2006 10:41 PM <DIR> Trymedia
11/12/2007 05:33 PM <DIR> Windows Genuine Advantage
11/12/2007 07:02 AM <DIR> yahoo!
03/26/2008 10:17 PM <DIR> Yahoo! Companion
3 File(s) 4,351 bytes
23 Dir(s) 13,373,759,488 bytes free
Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\Lyra\Application Data

01/23/2008 02:54 PM <DIR> Adobe
12/31/2005 07:18 PM <DIR> AdobeUM
02/23/2008 11:49 AM <DIR> Apple Computer
03/31/2008 05:05 PM <DIR> AVG7
03/07/2008 09:29 PM <DIR> Azureus
03/04/2008 10:57 PM <DIR> CAKE LOUD SEEK
02/11/2006 11:22 AM <DIR> CyberLink
11/22/2007 03:21 PM <DIR> Google
11/22/2007 10:06 PM <DIR> Grisoft
12/30/2005 10:09 PM <DIR> Help
11/18/2007 10:37 AM <DIR> HP
12/30/2005 07:58 PM <DIR> Identities
08/03/2006 08:35 PM <DIR> InterVideo
02/06/2007 09:45 PM <DIR> Leadertech
12/31/2005 07:59 PM <DIR> Macromedia
02/27/2007 12:13 PM <DIR> Media Player Classic
12/30/2005 10:33 PM <DIR> Mozilla
07/25/2006 10:41 PM <DIR> PlayFirst
01/09/2008 12:22 PM <DIR> Real
12/29/2007 07:34 AM <DIR> Skype
12/27/2007 11:20 PM <DIR> skypePM
03/27/2008 01:18 AM <DIR> SpywareStop
10/22/2006 03:53 PM <DIR> Sun
02/10/2007 05:22 PM <DIR> Symantec
11/20/2007 06:48 AM 59,198 Update_HP_RedboxHprblog_HPSU.log
01/17/2008 05:58 PM <DIR> Wildfire
03/30/2008 03:44 PM <DIR> Yahoo!
1 File(s) 59,198 bytes
26 Dir(s) 13,373,759,488 bytes free
Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\Mama\Application Data

03/05/2006 09:41 PM <DIR> Identities
03/05/2006 10:20 PM <DIR> Macromedia
03/05/2006 09:43 PM <DIR> Mozilla
03/05/2006 10:27 PM <DIR> Yahoo!
0 File(s) 0 bytes
4 Dir(s) 13,373,759,488 bytes free
Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\Default User\Application Data

12/31/2005 03:35 AM <DIR> .
12/31/2005 03:35 AM <DIR> ..
12/31/2005 03:35 AM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 13,373,759,488 bytes free
Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C is Master Disk
Volume Serial Number is 3486-B77B

Directory of C:\Documents and Settings\NetworkService\Application Data


----------------------------------------------------------------------------------------------------------------------

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:27:56 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAP\DAP.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll
O3 - Toolbar: Yahoo! 工具列 - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Stupid Data Dart Wave] C:\Documents and Settings\All Users\Application Data\flag ace stupid data\Cool locks.exe
O4 - HKCU\..\Run: [Performance Center] C:\Program Files\Ascentive\Performance Center\ApcMain.exe -m
O4 - HKCU\..\Run: [Ball Fork] C:\DOCUME~1\Lyra\APPLIC~1\CAKELO~1\joyplan.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search - ?p=ZU
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROPROJ.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.cyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9630 bytes


-----------------------------------------------------------------------------------------------------------------------

You asked me if I can open my drives when I doubleclick in My Computer. Well, yes, I can open my drives, but sometimes AVG gives me a warning about the Trojan Horse PSW. Online Games 2
To avoid the warning, I just go to Start and click Run and just type in the Folder I want to go to.

Thank you. :thumbsup:

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 01 April 2008 - 03:09 PM

Hi

Disconnect from the internet Close ALL browser windows (including this one) - run hijackthis and tick to fix (check the box next to) the list below.........when all are ticked (checked) click the Fix Checked button at the bottom. :-

O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\ieso0.dll

O4 - HKLM\..\Run: [Stupid Data Dart Wave] C:\Documents and Settings\All Users\Application Data\flag ace stupid data\Cool locks.exe

O4 - HKCU\..\Run: [Ball Fork] C:\DOCUME~1\Lyra\APPLIC~1\CAKELO~1\joyplan.exe
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe


REBOOT ...

find and delete :-

C:\WINDOWS\system32\ieso0.dll ... file
C:\WINDOWS\system32\kxvo.exe ... file

C:\Documents and Settings\All Users\Application Data\flag ace stupid data ... folder
C:\Documents and Settings\Lyra\Application Data\CAKE LOUD SEEK ... ... ... ... folder

--
You must have allready removed part of the infection, or you wouldn't be able to doubleclick your drives at all, this is a flash drive infection, so any flash drives you have may still have the virus on them ... & plugging them in may re-infect you, so you need to clean them as well ...

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
Please post the log ...

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:01:48 PM

Posted 22 June 2008 - 04:34 PM

Due to lack of feedback this topic is now closed.

If the original poster would like it re-opened, please send me a PM with a link to this thread.

cheers

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users