Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suffering From Trojan.spambot


  • This topic is locked This topic is locked
17 replies to this topic

#1 Eklavya

Eklavya

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 18 July 2008 - 01:41 PM

Hello friends,

My PC is suffering from Trojan.Spambot. As soon as I start the PC, it begins sending spam emails to unidentified email addresses. I came to know about this because I started seeing scanning outgoing email messages by my Antivirus program (Norton from Symentec). Soon my entire desktop area get filed up with these messages and I cannot not work any more. I have disabled the 'scan every outgoing message' checkbox in the Norton options.

Here is the scan report usig Deckard's System Scanner

###################################### Main.txt

Deckard's System Scanner v20071014.68
Run by Home on 2008-07-18 23:53:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
5: 2008-07-18 18:23:56 UTC - RP5 - Deckard's System Scanner Restore Point
4: 2008-07-16 18:19:01 UTC - RP4 - Installed AVG 7.5
3: 2008-07-14 08:55:35 UTC - RP3 - Software Distribution Service 3.0
2: 2008-07-13 16:32:13 UTC - RP2 - System Checkpoint
1: 2008-07-05 18:55:32 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 502 MiB (512 MiB recommended).


-- HijackThis (run as Home.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:55:24 PM, on 7/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\sttray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Home\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Home.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8081
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 74.54.90.34 theindianblogger.com
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [{7FDDA133-D598-434B-9C4F-35BB909D2623}] C:\DOCUME~1\Home\LOCALS~1\Temp\GLB58.tmp C:\DOCUME~1\Home\LOCALS~1\Temp\GLF5D.tmp\settings.ini
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Home\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: WordWeb Pro.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0188E17F-B180-48A6-B199-055C219601B5} (DV_GistFontResourcesforWeb Control) - http://www.rajbhasha.gov.in/cab/DVData.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {E85FDB2D-2819-11D4-A59A-00600891E126} (IPlugin Control) - http://www.rajbhasha.gov.in/cab/iPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F86A863-1C92-4059-BF01-41A7270AE467}: NameServer = 59.179.243.70,203.94.243.70
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: awtqoon - awtqoon.dll (file missing)
O20 - Winlogon Notify: winjvl32 - C:\WINDOWS\SYSTEM32\winjvl32.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: BCL easyPDF SDK 5 Loader (bepldr) - Unknown owner - C:\Program Files\Common Files\BCL Technologies\NitroPDF5\bepldr.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Google Desktop Manager 5.6.711.24354 (GoogleDesktopManager-112407-114954) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12716 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Bte48 - c:\windows\system32\drivers\bte48.sys
R1 FDCENT - c:\windows\system32\drivers\fdcent.sys <Not Verified; Silence of Troubles United Company Ltd.; Filter Device for WinNT/2k/XP>
R1 NetworkX - c:\windows\system32\ckldrv.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

S3 tcpsr - c:\windows\system32\drivers\tcpsr.sys (file missing)
S3 usb2vcom (USB Data Cable) - c:\windows\system32\drivers\usb2vcom.sys <Not Verified; USB World; USB Data Cable>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 Crypkey License - crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>
R2 STacSV (SigmaTel Audio Service) - c:\windows\system32\stacsv.exe <Not Verified; SigmaTel, Inc.; C-Major Audio>

S3 bepldr (BCL easyPDF SDK 5 Loader) - "c:\program files\common files\bcl technologies\nitropdf5\bepldr.exe" <Not Verified; ; bepldr Module>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-07-04 20:16:32 528 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Home.job


-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-17 00:50:22 0 dr-h----- C:\$VAULT$.AVG
2008-07-16 23:50:00 0 d-------- C:\Documents and Settings\Home\Application Data\AVG7
2008-07-16 23:49:36 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-07-16 23:49:03 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-07-16 22:45:23 0 d-------- C:\Program Files\CodeStuff
2008-07-16 11:53:35 30848 --a------ C:\WINDOWS\system32\drivers\Bte48.sys
2008-07-14 18:26:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-06 01:54:39 0 d-------- C:\Program Files\Panda Security
2008-07-06 01:22:28 0 d-------- C:\Documents and Settings\Home\Application Data\rhc3nmj0ep7j
2008-07-06 00:25:07 60928 --a------ C:\WINDOWS\system32\blphc7nmj0ep7j.scr <Not Verified; Sysinternals; Sysinternals Blue Screen>
2008-07-04 18:22:20 176235 --a------ C:\WINDOWS\system32\Primomonnt.dll
2008-07-04 18:22:17 0 d-------- C:\WINDOWS\PrimoPDF4
2008-07-04 18:22:17 0 d-------- C:\Program Files\activePDF
2008-07-04 15:01:49 0 d-------- C:\WINDOWS\system32\appmgmt
2008-07-03 00:37:55 0 d-------- C:\Program Files\Power Article Rewriter
2008-06-29 16:48:30 0 d-------- C:\WINDOWS\system32\?ü?????
2008-06-29 00:18:46 0 d-------- C:\Documents and Settings\Home\Application Data\WordWeb
2008-06-28 21:50:08 52224 --a------ C:\WINDOWS\system32\Crypserv.exe <Not Verified; Kenonic Controls Ltd.; CrypKey Software Licensing System>
2008-06-28 21:50:08 24608 --a------ C:\WINDOWS\system32\Ckldrv.sys
2008-06-28 21:50:08 27648 -ra------ C:\WINDOWS\Setup_ck.exe
2008-06-28 21:50:08 18432 --a------ C:\WINDOWS\Setup_ck.dll
2008-06-28 21:50:08 11776 --a------ C:\WINDOWS\Ckrfresh.exe
2008-06-28 21:50:08 165888 --a------ C:\WINDOWS\Ckconfig.exe <Not Verified; Kenonic Controls; CKCONFIG Application>
2008-06-28 21:49:41 0 d-------- C:\Program Files\StyleWriter
2008-06-28 21:48:37 0 d-------- C:\Program Files\SR
2008-06-26 01:06:31 0 d-------- C:\Documents and Settings\Home\Application Data\EbkReader


-- Find3M Report ---------------------------------------------------------------

2008-07-18 23:53:11 0 d-------- C:\Documents and Settings\Home\Application Data\Free Download Manager
2008-07-18 11:03:15 32 --a------ C:\Documents and Settings\Home\Application Data\ntl.ini
2008-07-18 10:37:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-18 01:16:19 0 d-------- C:\Program Files\Helper
2008-07-18 01:16:19 0 d-------- C:\Program Files\decomp
2008-07-16 21:11:28 0 d-------- C:\Program Files\Symantec
2008-07-14 18:25:07 0 d-------- C:\Program Files\Yahoo!
2008-07-06 20:34:05 6219 --a------ C:\Documents and Settings\Home\Application Data\PrimoPDFSet.xml
2008-07-04 18:26:55 310 --a------ C:\Documents and Settings\Home\Application Data\APUSet.xml
2008-06-29 00:17:56 0 d-------- C:\Program Files\WordWeb
2008-06-27 23:04:16 0 d-------- C:\Program Files\BrowserBob 4 Professional
2008-06-22 18:58:43 5482 --a----c- C:\WINDOWS\mozver.dat
2008-06-15 15:40:39 0 d-------- C:\Program Files\Google
2008-06-13 15:30:06 1167 --ah----- C:\hpothb07.dat
2008-05-27 22:04:03 0 d-------- C:\Documents and Settings\Home\Application Data\Google
2008-05-24 23:02:22 0 d-------- C:\Documents and Settings\Home\Application Data\ZoomBrowser EX
2008-05-21 22:33:16 231667 --a------ C:\WINDOWS\EasyGifAnimator_Toolbar_Uninstaller_4343.exe <Not Verified; Karlis Blumentals; Easy Gif Animator>
2008-05-21 22:33:16 0 d-------- C:\Program Files\Easy Gif Animator Extension
2008-05-21 22:33:06 0 d-------- C:\Program Files\Easy GIF Animator
2008-05-12 22:17:42 5 --a------ C:\WINDOWS\system32\FL1
2008-04-20 23:40:49 58 --a------ C:\WINDOWS\system32\Anderson Hu_MobysaurusThesaurus_InstallInfo.dat
2008-04-20 19:20:06 668 --a------ C:\Documents and Settings\Home\Application Data\vso_ts_preview.xml
2008-04-20 18:35:23 34 --a------ C:\Documents and Settings\Home\Application Data\pcouffin.log
2008-04-20 18:35:14 47360 --a------ C:\Documents and Settings\Home\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-04-20 18:35:14 1144 --a------ C:\Documents and Settings\Home\Application Data\pcouffin.inf
2008-04-20 18:35:14 7887 --a------ C:\Documents and Settings\Home\Application Data\pcouffin.cat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="sttray.exe" [05/26/2006 08:28 PM C:\WINDOWS\sttray.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [12/30/2007 10:29 PM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [12/30/2007 10:29 PM]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [12/30/2007 10:29 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01/22/2007 10:19 PM]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [12/30/2007 10:29 PM]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [03/12/2007 06:30 PM]
"{7FDDA133-D598-434B-9C4F-35BB909D2623}"="C:\DOCUME~1\Home\LOCALS~1\Temp\GLB58.tmp C:\DOCUME~1\Home\LOCALS~1\Temp\GLF5D.tmp\settings.ini" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [12/30/2007 10:31 PM]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [04/17/2002 10:42 AM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [07/18/2008 10:43 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [12/30/2007 09:17 AM]
"Firewall auto setup"="C:\DOCUME~1\Home\LOCALS~1\Temp\winlogon.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [12/30/2007 09:54 PM]

C:\Documents and Settings\Home\Start Menu\Programs\Startup\
WordWeb Pro.lnk - C:\Program Files\WordWeb\wweb32.exe [10/7/2007 8:48:33 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2/17/2007 10:13:28 PM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DB0B918E-A0A8-482B-8D75-A682816B0C7B}"= C:\WINDOWS\system32\awtqoon.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtqoon]
awtqoon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winjvl32]
winjvl32.dll 02/02/2008 01:48 PM 26624 C:\WINDOWS\system32\winjvl32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Bte48.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FDCENT.SYS"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HideFilesAndFolders_S"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lmp50.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HFFSRV]
c:\windows\hffext\hffsrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lphc7nmj0ep7j]
C:\WINDOWS\system32\lphc7nmj0ep7j.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nitro PDF Printer Monitor]
"C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask .exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhc3nmj0ep7j]
C:\Program Files\rhc3nmj0ep7j\rhc3nmj0ep7j.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0fb80274-68d5-11dc-a35d-000f3d77a4e7}]
Auto\command- H:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{85088638-b841-11db-a19e-0019d11934ab}]
AutoRun\command- H:\.\Recycled\Driveinfo.exe
Open\Command- H:\.\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a9f8f391-6b76-11dc-a363-000f3d77a4e7}]
Auto\command- H:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b8b58658-3b94-11dc-a2f3-000f3d77a4e7}]
AutoRun\command- .\Recycled\Driveinfo.exe
Open\Command- .\Recycled\Driveinfo.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fe001c7a-4078-11dd-a59d-000f3d77a4e7}]
AutoRun\command- H:\kinza.exe
explore\Command- H:\kinza.exe
open\Command- H:\kinza.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28681820-917D-11d5-8177-005056FDDA4B}]
rundll32.exe C:\WINDOWS\system32\ShellExt\DafiTech\Cpy2Clip\cpy2clip.dll,CreateUserSettings

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{28ABC5C0-4FCB-11CF-AAX5-81CX1C635612}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\dll32.exe



-- Hosts -----------------------------------------------------------------------

74.54.90.34 theindianblogger.com


-- End of Deckard's System Scanner: finished at 2008-07-18 23:56:46 ------------

#########################################

The extra file (extra.txt) is also attached as attachment

#########################################



Please help.

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 20 July 2008 - 05:57 PM

Hello Eklavya and welcome to BC. That looks kind of interesting. Let's see what else we can find. Follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Now download OTScanIt from here or here to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 21 July 2008 - 11:42 AM

Thanks for your reply OldTimer.

As advised by you, I did all the steps and the resulted text file is attached for your kind perusal.

Something more for your information :

While I was waiting for the reply, I did a complete virus scan using AVG 7.5. It cleared a number of virus but could not solve this problem. Meanwhile, whenever I start my PC, AVG7.5 gives me a message that it has detected the Trojan horse SpamBot.G while opening the driver C:\WINDOWS\system32\drivers\tcpsr.sys

I hope this will help you in suggesting me the best course of action.

Regards

Eklavya

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 21 July 2008 - 04:16 PM

Hi Eklavya. Let's see what we can do. Follow the steps below in order:

First, it appears that there are multiple anti-virus applications running on this computer (AVG and Symantec). Running more than 1 anti-virus application at the same time can cause file access and resource issues and if there is an infection the multiple programs can actually block each other from dealing with the infected file(s). I highly recommend that you choose which application you want to keep and uninstall the other one(s) to prevent these problems.

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
Bte48
tcpsr
Files to delete:
%systemroot%\system32\blphc7nmj0ep7j.scr
%systemroot%\system32\drivers\bte48.sys
%systemroot%\system32\drivers\tcpsr.sys
%systemroot%\system32\phc7nmj0ep7j.bmp
%systemroot%\temp\bn4.tmp
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%appdata%\rhc3nmj0ep7j

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Processes - Non-Microsoft Only]
YY -> bn4.tmp -> %SystemRoot%\Temp\BN4.tmp
[Driver Services - Non-Microsoft Only]
YY -> (Bte48) Bte48 [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\Bte48.sys
YY -> (tcpsr) tcpsr [Kernel | On_Demand | Stopped] -> %SystemRoot%\System32\drivers\tcpsr.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> {7FDDA133-D598-434B-9C4F-35BB909D2623} -> %SystemDrive%\DOCUME~1\Home\LOCALS~1\Temp\GLB58.tmp [C:\DOCUME~1\Home\LOCALS~1\Temp\GLB58.tmp C:\DOCUME~1\Home\LOCALS~1\Temp\GLF5D.tmp\settings.ini]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Firewall auto setup -> %SystemDrive%\DOCUME~1\Home\LOCALS~1\Temp\winlogon.exe [C:\DOCUME~1\Home\LOCALS~1\Temp\winlogon.exe]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {DB0B918E-A0A8-482B-8D75-A682816B0C7B} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\awtqoon.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> awtqoon -> 
YN -> winjvl32 -> 
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage -> 1
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\
YN -> {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\ButtonText [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\CLSID [HKEY_LOCAL_MACHINE] -> [{0000031A-0000-0000-C000-000000000046}]
YN -> {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\ClsidExtension [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\Default Visible [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\HotIcon [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\Icon [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.]
YN -> CmdMapping\\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} [HKEY_LOCAL_MACHINE] -> [Reg Error: Value  does not exist or could not be read.]
< User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
YN -> AntivirXP08 -> AntivirXP08
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\win37A.exe -> %SystemRoot%\TEMP\win37A.exe [C:\WINDOWS\TEMP\win37A.exe:*:Enabled:win37A]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\FlashGet\flashget.exe -> %ProgramFiles%\FlashGet\flashget.exe [C:\Program Files\FlashGet\flashget.exe:*:Enabled:Flashget]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\win17D.exe -> %SystemRoot%\TEMP\win17D.exe [C:\WINDOWS\TEMP\win17D.exe:*:Enabled:win17D]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Google\Google Talk\googletalk.exe -> %ProgramFiles%\Google\Google Talk\googletalk.exe [C:\Program Files\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\c:\win32.exe -> %SystemDrive%\win32.exe [C:\win32.exe:*:Enabled:@xpsp2res.dll,-22005]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Home\wins.exe -> %UserProfile%\wins.exe [C:\Documents and Settings\Home\wins.exe:*:Enabled:@xpsp2res.dll,-22005]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe -> %ProgramFiles%\Yahoo!\Messenger\YahooMessenger.exe [C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe -> %ProgramFiles%\Yahoo!\Messenger\YServer.exe [C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server]
[Files/Folders - Created Within 30 days]
NY -> Bte48.sys -> %SystemRoot%\System32\drivers\Bte48.sys
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> blphc7nmj0ep7j.scr -> %SystemRoot%\System32\blphc7nmj0ep7j.scr
NY -> phc7nmj0ep7j.bmp -> %SystemRoot%\System32\phc7nmj0ep7j.bmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> rhc3nmj0ep7j -> %AppData%\rhc3nmj0ep7j
[Files/Folders - Modified Within 30 days]
NY -> Bte48.sys -> %SystemRoot%\System32\drivers\Bte48.sys
NY -> 3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> blphc7nmj0ep7j.scr -> %SystemRoot%\System32\blphc7nmj0ep7j.scr
NY -> phc7nmj0ep7j.bmp -> %SystemRoot%\System32\phc7nmj0ep7j.bmp
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> rhc3nmj0ep7j -> %AppData%\rhc3nmj0ep7j
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Under Additional Scans click the checkboxes in front of the following items to select them:

    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 22 July 2008 - 01:03 PM

Hello OldTimer,

Thanks for your detailed reply. I stucked on the step 1 itself. As advised by you, I run the avenger by copy/pasting the
above code. However, the reboot did not happen the way you described. The windows failed to start in the normal mode even after many reboots attempts. Finally I had to choose the 'Last Know Good configuration' to start the computer. As a result, it appears that Avenger did not create the log file as I did not see any in C: drive.

Since I could not complete the first step, I did not proceed to do second step. :thumbsup:

Further, I am confused as to which AV program should I kept. I have Norton AV 2006 whose subscription has ended since a long time back and I have not renewed it . On the other hand I have full updated version of AVG 7.5. Kindly advise me which software should I keep in my PC. In the Add/Remove program options there are at least 4 entries for NAV whereas there is only one entry for AVG 7.5. This means if I choose to remove NAV, I'll have to run the uninstall four times. Please suggest what should I do.

Regards

Eklavya

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 22 July 2008 - 01:17 PM

Hi Eklavya. To answer the AV quesiton first, if NAV is not current hten it is not doing any good. Uninstall that. I'm alos not sure that AVG7.5 is still supported. Grisoft moved on to AVG8 so you might want to uninstall the 7.5 version and download/install the 8.0 version.

As for Avendger, try it again and make sure that the entire contents of the codebox are included. The first line should be Drivers to delete: and the last line should be %appdata%\rhc3nmj0ep7j. If any of it is missing it will not work. It also could be caused by the multiple AV's that are installed so do not run it until one of them is removed.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 July 2008 - 11:53 AM

Hello OT,

I am unable to perform the steps advised by you. Here is what I have done till now:

First of all, I decided to uninstall Norton AV from my PC. However, when I open my Add/Remove program, I found that almost 90% of the programs (Norton included) listed there did not have a Remove/Uninstall Button. So I am at loss to find how I should uninstall it.

Further, since I am unable to uninstall NAV, I went to NAV option and disabled all automatic scan instructions (like Scan every incoming/outgoing message etc). Further, I run Msconfig and in the startup, I disabled all instructions related to NAV. This means that NAV will start in my computer only when I shall manually start it Otherwise, it will not run any scanning function on its own.

Then I run the script as provided by you in the Avenger. However, whenever the system reboots, it failed to start in normal mode. The screen displays something like this :

"We apologize for the inconvenience but windows did not start normally. A recent hardware or software change might have cause this. "

As a result, I had to start windows using 'Last known Good Configuration'.

So no avenger.txt in C drive :thumbsup:

I am unable to complete the first step itself.

One more thing, as I wrote earlier that whenever I start my PC, AVG7.5 gives me a message that it has detected the Trojan horse SpamBot.G while opening the driver C:\WINDOWS\system32\drivers\tcpsr.sys.

The AVG7.5 gives me two option: either to heal this or move it to vault.

Whenever I click on 'heal this' it gives me a message that th trojan is healed successfully. However, when I click o 'Move it to vault' it gives me a message which says something like this "moving a system file to virus vault may make the operating system unstable. Are you sure? "

As a result I prefer not to choose the 'move to virus vault' option.

Hope it may give you an idea of this nagging problem.

Thanks

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 23 July 2008 - 12:30 PM

Hi Eklavya. I think that the issues with the reboot could be related to NAV. There are multiple drivers and services that cannot be seen in MSConfig so they cannot be stopped and are loaded when Windows starts. Norton has removal tools for its products when they do not remove properly. Go here and download/run the appropriate tool for whatever version is installed.

Then try the fix again.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 July 2008 - 01:34 PM

Hello OT,

I did a complete uninstall of NAV using this tool :

ftp://ftp.symantec.com/public/english_us_...emoval_Tool.exe

However, the problem of normal boot still persist. After running that script in Avenger, I am unable to start computer in normal mode.

Please see what can be done

#10 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 23 July 2008 - 01:54 PM

On googling I found that one solution (solved) for getting rid of this problem (spambot.g TCPSR.SYS ) is given on this spanish site here :

http://www.forospyware.com/t180074.html

A google translation of this page reveals that the solution require installing and running two softwares viz. SUPERAntiSpyware and Malwarebytes’ Anti-Malware.

I am in doubt. Please advise whether I should give this method a try ?

#11 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 23 July 2008 - 02:29 PM

Hi Eklavya. You can certainly try those programs if you want. I don't usually recommend them because they can leave the system unbootable from any mode. I just recently had to reapir a machine that someone sent me because the Malwarebytes program left it inoperable and I had to use another operating system to boot the machine up just to repair it. I'll leave that up to you.

Otherwise try this. Rerun Avenger and use the following code instead of the previous one. This one leaves out the drivers and just deletes the files. See what happens with that.

Files to delete:
%systemroot%\system32\blphc7nmj0ep7j.scr
%systemroot%\system32\drivers\bte48.sys
%systemroot%\system32\drivers\tcpsr.sys
%systemroot%\system32\phc7nmj0ep7j.bmp
%systemroot%\temp\bn4.tmp
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%appdata%\rhc3nmj0ep7j

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#12 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 26 July 2008 - 08:34 AM

Hello OT,

I have decided to stick to the solution suggested by you instead of trying some new malaware removal program. By using the new code given by you in the last reply I was able to run Avenger.txt. My reply is 2 days late because I could not complete the online Virus scan owing to many problems (which include : Slow internet connection, shortage of time and break during download etc ).

I have done all the steps advised by you. However, I could not scan the computer using F-Secure Online Scanner. I have scanned it using Kaspersky WebScanner but here again owing to shortage of time I choose to scan only critical area of my computer instead of Chosing 'My Computer' which was originally advised by you. This critical scan itself took more than 90 minutes.

So here are the requisite logs :

(1) The Avenger Report :

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\blphc7nmj0ep7j.scr" deleted successfully.
File "C:\WINDOWS\system32\drivers\bte48.sys" deleted successfully.

Error: file "C:\WINDOWS\system32\drivers\tcpsr.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\tcpsr.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\phc7nmj0ep7j.bmp" deleted successfully.

Error: file "C:\WINDOWS\temp\bn4.tmp" not found!
Deletion of file "C:\WINDOWS\temp\bn4.tmp" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\Documents and Settings\Home\Application Data\rhc3nmj0ep7j" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

___________________________

(2) OT scan fixed log :

Explorer killed successfully
[Processes - Non-Microsoft Only]
Unable to kill process bn4.tmp .
File C:\WINDOWS\Temp\BN4.tmp not found.
[Driver Services - Non-Microsoft Only]
Unable to stop service Bte48 .
Service Bte48 deleted successfully.
File move failed. C:\WINDOWS\system32\drivers\Bte48.sys scheduled to be moved on reboot.
Service tcpsr stopped successfully.
Service tcpsr deleted successfully.
File C:\WINDOWS\System32\drivers\tcpsr.sys not found.
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{7FDDA133-D598-434B-9C4F-35BB909D2623} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7FDDA133-D598-434B-9C4F-35BB909D2623}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Firewall auto setup deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{DB0B918E-A0A8-482B-8D75-A682816B0C7B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DB0B918E-A0A8-482B-8D75-A682816B0C7B}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtqoon\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjvl32\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispBackgroundPage deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\NoDispScrSavPage deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\ButtonText deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\CLSID deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\ClsidExtension deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\Default Visible deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\HotIcon deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\\Icon deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\\AntivirXP08 deleted successfully.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\win37A.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\FlashGet\flashget.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\TEMP\win17D.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Google\Google Talk\googletalk.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\c:\win32.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Home\wins.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Yahoo!\Messenger\YServer.exe deleted successfully.
[Files/Folders - Created Within 30 days]
File move failed. C:\WINDOWS\System32\drivers\Bte48.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\blphc7nmj0ep7j.scr not found!
File C:\WINDOWS\System32\phc7nmj0ep7j.bmp not found!
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\Home\Application Data\rhc3nmj0ep7j not found!
[Files/Folders - Modified Within 30 days]
File move failed. C:\WINDOWS\System32\drivers\Bte48.sys scheduled to be moved on reboot.
File C:\WINDOWS\System32\blphc7nmj0ep7j.scr not found!
File C:\WINDOWS\System32\phc7nmj0ep7j.bmp not found!
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\Home\Application Data\rhc3nmj0ep7j not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.16.2 fix logfile created on 07242008_211650

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\Bte48.sys scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.

___________________________________

(3) Online Virus Scan report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, July 25, 2008 16:18:29
Records in database: 1008024
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Home\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 56964
Threat name: 4
Infected objects: 25
Suspicious objects: 0
Duration of the scan: 01:06:56


File name / Threat name / Threats count
svchost.exe\svchost.exe/svchost.exe\svchost.exe Infected: Trojan.Win32.Agent.ady 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\DocumentStore\docs\mobile\samples-ringtones\audio-arpeggio.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\DocumentStore\docs\mobile\samples-ringtones\audio-basic.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\DocumentStore\docs\mobile\samples-ringtones\audio-bell.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\DocumentStore\docs\mobile\samples-ringtones\audio-birds.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\DocumentStore\docs\mobile\samples-ringtones\audio-harp.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MMS\MMSAlbum\Media\Card\nightout01\mms-loop2.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MMS\MMSAlbum\Media\Sound\mms-loop1.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MMS\MMSAlbum\Media\Sound\mms-loop2.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Hewlett-Packard\Memories Disc\audio\American Folk.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Hewlett-Packard\Memories Disc\audio\Classic Rock.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Hewlett-Packard\Memories Disc\audio\Hearts and Flowers.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\Program Files\Hewlett-Packard\Memories Disc\audio\Swing.mp3 Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\copycd.wmv Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\mdlib.wmv Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\nuskin.wmv Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\rtuner.wmv Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\viz.wmv Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\system32\acluisss.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\adfactryv.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\adptifv.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\appmgrvb.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\ATHPRXYa.dll Infected: Trojan-Downloader.Win32.Small.vob 1
C:\WINDOWS\system32\oobe\images\title.wma Infected: Trojan-Downloader.WMA.GetCodec.d 1
C:\WINDOWS\Temp\BN14.tmp Infected: Trojan-Dropper.Win32.Agent.ule 1

The selected area was scanned.

___________________________________________________________

(4) The new OTscan log is attached :


Regards

Eklavya

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 26 July 2008 - 11:51 AM

Hi Eklavya. the new OTScanIt scan log is missing. Can you attach that.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 Eklavya

Eklavya
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:51 PM

Posted 27 July 2008 - 11:29 AM

Hello OT,

Here is the new OTScan file

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:03:51 PM

Posted 27 July 2008 - 02:51 PM

Hi Eklavya. Just a few left-over files to take care of. Follow the steps below in order:

Step #1

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\system32\drivers\bte48.sys
%systemroot%\system32\drivers\bzjunr.sys
%systemroot%\system32\drivers\crbewjf.sys
%systemroot%\system32\drivers\scyirl.sys
%systemroot%\system32\drivers\tcpsr.sys

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\{C4069E3A-68F1-403E-B40E-20066696354B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Files/Folders - Created Within 30 days]
NY -> Bte48.sys -> %SystemRoot%\System32\drivers\Bte48.sys
NY -> bzjunr.sys -> %SystemRoot%\System32\drivers\bzjunr.sys
NY -> crbewjf.sys -> %SystemRoot%\System32\drivers\crbewjf.sys
NY -> scyirl.sys -> %SystemRoot%\System32\drivers\scyirl.sys
NY -> tcpsr.sys -> %SystemRoot%\System32\drivers\tcpsr.sys
[Files/Folders - Modified Within 30 days]
NY -> Bte48.sys -> %SystemRoot%\System32\drivers\Bte48.sys
NY -> bzjunr.sys -> %SystemRoot%\System32\drivers\bzjunr.sys
NY -> crbewjf.sys -> %SystemRoot%\System32\drivers\crbewjf.sys
NY -> scyirl.sys -> %SystemRoot%\System32\drivers\scyirl.sys
NY -> tcpsr.sys -> %SystemRoot%\System32\drivers\tcpsr.sys
[Extra Files]
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\DocumentStore\docs\mobile\samples-ringtones\
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MMS\MMSAlbum\Media\Card\nightout01\mms-loop2.mp3 
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MMS\MMSAlbum\Media\Sound\mms-loop1.mp3 
C:\Program Files\Adobe\Adobe GoLive CS2\Settings\MMS\MMSAlbum\Media\Sound\mms-loop2.mp3 
C:\Program Files\Hewlett-Packard\Memories Disc\audio\American Folk.mp3
C:\Program Files\Hewlett-Packard\Memories Disc\audio\Classic Rock.mp3
C:\Program Files\Hewlett-Packard\Memories Disc\audio\Hearts and Flowers.mp3
C:\Program Files\Hewlett-Packard\Memories Disc\audio\Swing.mp3
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\copycd.wmv
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\mdlib.wmv
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\nuskin.wmv
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\rtuner.wmv
C:\WINDOWS\Help\Tours\WindowsMediaPlayer\Video\viz.wmv
C:\WINDOWS\system32\acluisss.dll
C:\WINDOWS\system32\adfactryv.dll
C:\WINDOWS\system32\adptifv.dll
C:\WINDOWS\system32\appmgrvb.dll
C:\WINDOWS\system32\ATHPRXYa.dll
C:\WINDOWS\system32\oobe\images\title.wma
C:\WINDOWS\Temp\BN14.tmp
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • Just keep the default options. Do not change any settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users