Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Riskware Trojan.generic & riskware worm.P2P.Generic

  • This topic is locked This topic is locked
3 replies to this topic

#1 mablefable


  • Members
  • 4 posts
  • Local time:02:32 PM

Posted 08 January 2009 - 02:18 PM

Hi. I am hoping you may be able to help. I was using Youruninstaller (which I now think was infected) to uninstall a programme. I noticed the CPU usage and processor were working overtime. I did a scan with Spyware Doctor and it detected Email-worm.Zhelatin which I removed and thought I was in the clear.

I then tried to uninstall Youruninstaller with Revo Uninstaller. When doing this Kaspersky internet security quarantined riskware Trojan.generic.

I did another Spyware doctor scan which detected no further virsuses. However, the processor is still working overtime and often spikes, making the computer slow. Also, I cannot install new programmes without getting a error message.

What should I do to restore the system? I have deleted TEMP and TIF files and enabled Show Hidden Files & Folders. Thank you for any help.

Here is my DSS report

DDS (Ver_09-01-07.01) - NTFSx86
Run by Family at 18:40:26.73 on 08/01/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1790.1181 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Free Download Manager\fdm.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Acer Arcade Live\Acer HomeMedia Connect\Kernel\DMS\CLMSServer.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup

============== Pseudo HJT Report ===============

uStart Page = hxxp://uk.yahoo.com/
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vp32&d=1008&m=aspire_m3201
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0809&s=1&o=vp32&d=1008&m=aspire_m3201
mDefault_Page_URL = hxxp://en.us.acer.yahoo.com
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Free Download Manager] c:\program files\free download manager\fdm.exe -autorun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [DU Meter] c:\program files\du meter\DUMeter.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [PCMMediaSharing] c:\program files\acer arcade live\acer homemedia connect\kernel\dms\PCMMediaSharing.exe
mRun: [WarReg_PopUp] c:\program files\acer\wr_popup\WarReg_PopUp.exe
mRun: [AVP] "c:\program files\kaspersky internet security 2009\avp.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Banner Ad Blocker - c:\program files\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Notify: klogon - c:\windows\system32\klogon.dll
AppInit_DLLs: c:\progra~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kloehk.dll,c:\progra~1\kasper~1\mzvkbd3.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\family\appdata\roaming\mozilla\firefox\profiles\4zlp0vfc.default\
FF - prefs.js: browser.startup.homepage - www.google.co.uk
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll

============= SERVICES / DRIVERS ===============

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-1-29 32784]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\drivers\klim6.sys [2008-7-9 20496]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-3-13 26640]
R4 Acer HomeMedia Connect Service;Acer HomeMedia Connect Service;c:\program files\acer arcade live\acer homemedia connect\kernel\dms\CLMSServer.exe [2008-10-7 269448]
R4 DUMeterSvc;DU Meter Service;c:\program files\du meter\DUMeterSvc.exe [2009-1-7 1386008]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-6 356920]
S3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2005-10-27 30464]
S3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2005-10-27 12672]

=============== Created Last 30 ================

2009-01-07 22:04 <DIR> --d----- c:\program files\Vstplugins
2009-01-07 22:04 <DIR> --d----- c:\program files\Sony
2009-01-07 20:24 <DIR> --d----- c:\program files\Your Uninstaller 2008
2009-01-07 13:46 <DIR> --d----- c:\programdata\NCH Swift Sound
2009-01-07 13:34 <DIR> --d----- c:\program files\DU Meter
2009-01-07 13:29 <DIR> --d----- c:\programdata\Hagel Technologies
2009-01-07 13:29 <DIR> --d----- c:\progra~2\Hagel Technologies
2009-01-07 09:27 <DIR> --d----- c:\program files\Trend Micro
2009-01-07 01:03 <DIR> --d----- c:\program files\common files\SWF Studio
2009-01-07 00:58 <DIR> --d----- c:\programdata\Spybot - Search & Destroy
2009-01-07 00:58 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-07 00:58 <DIR> --d----- c:\progra~2\Spybot - Search & Destroy
2009-01-06 23:25 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-01-06 23:25 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-01-06 23:25 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-01-06 23:25 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-01-06 23:24 <DIR> --d----- c:\users\family\appdata\roaming\PC Tools
2009-01-06 23:24 <DIR> --d----- c:\program files\Spyware Doctor
2009-01-06 22:54 <DIR> --d----- c:\program files\VS Revo Group
2009-01-06 20:46 <DIR> --d----- c:\windows\Profiles
2009-01-06 20:30 <DIR> --d----- c:\users\family\appdata\roaming\URSoft
2009-01-06 20:08 <DIR> --d----- c:\users\family\appdata\roaming\Malwarebytes
2009-01-06 20:08 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 20:08 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 20:08 <DIR> --d----- c:\programdata\Malwarebytes
2009-01-06 20:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 20:08 <DIR> --d----- c:\progra~2\Malwarebytes
2009-01-05 13:31 <DIR> --d----- c:\program files\NCH Swift Sound
2009-01-05 10:25 <DIR> --d----- c:\programdata\Soulseek
2009-01-05 10:25 <DIR> --d----- c:\progra~2\Soulseek
2009-01-05 10:01 <DIR> --d----- c:\program files\SoulseekNS
2009-01-04 22:30 <DIR> --d----- c:\program files\Torrent Harvester
2009-01-04 18:19 <DIR> --d----- c:\programdata\WinZip
2009-01-04 18:04 <DIR> --d----- c:\windows\WinRAR
2009-01-04 17:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-04 17:31 <DIR> --d----- c:\users\family\appdata\roaming\Ashampoo
2009-01-04 17:27 <DIR> --d----- c:\programdata\ashampoo
2009-01-04 17:27 <DIR> --d----- c:\progra~2\ashampoo
2009-01-04 17:27 <DIR> --d----- c:\program files\Ashampoo
2009-01-03 18:18 <DIR> --d----- c:\users\family\appdata\roaming\Free Download Manager
2009-01-03 18:18 <DIR> --d----- c:\program files\Free Download Manager
2009-01-03 17:55 <DIR> --d----- c:\users\family\appdata\roaming\GrabPro
2009-01-03 17:50 <DIR> --d----- c:\programdata\Kaspersky Lab Setup Files
2009-01-03 17:50 <DIR> --d----- c:\progra~2\Kaspersky Lab Setup Files
2009-01-03 17:31 96,976 a------- c:\windows\system32\drivers\klin.dat
2009-01-03 17:31 87,855 a------- c:\windows\system32\drivers\klick.dat
2009-01-03 17:30 3,784,736 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-03 17:30 434,208 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-01-03 17:30 35,888 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-01-03 17:30 4,660 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-01-03 17:30 <DIR> --d----- c:\programdata\Kaspersky Lab
2009-01-03 17:30 <DIR> --d----- c:\program files\Kaspersky Internet Security 2009
2009-01-03 17:30 <DIR> --d----- c:\progra~2\Kaspersky Lab
2009-01-03 16:03 <DIR> a-d----- c:\programdata\TEMP
2009-01-03 15:35 <DIR> --d----- c:\windows\PCHEALTH
2009-01-03 14:37 <DIR> --d----- c:\users\family\Option
2009-01-03 14:36 101,856 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-01-03 14:11 <DIR> --d----- c:\program files\Defraggler
2009-01-03 13:59 <DIR> --d----- c:\users\family\appdata\roaming\Foxit
2009-01-03 13:59 <DIR> --d----- c:\program files\Foxit Software
2009-01-03 13:58 <DIR> --dsh--- c:\users\family\appdata\roaming\.#
2009-01-03 13:52 1,383,424 a------- c:\windows\system32\mshtml.tlb
2009-01-03 13:43 2,048 a------- c:\windows\system32\tzres.dll
2009-01-03 13:40 <DIR> --d----- c:\program files\uTorrent
2009-01-03 13:40 <DIR> --d----- c:\users\family\appdata\roaming\uTorrent
2009-01-03 13:36 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-03 13:32 827,392 a------- c:\windows\system32\wininet.dll
2009-01-03 13:31 2,927,104 a------- c:\windows\explorer.exe
2009-01-03 13:31 296,960 a------- c:\windows\system32\gdi32.dll
2009-01-03 13:31 361,984 a------- c:\windows\system32\IPSECSVC.DLL
2009-01-03 13:31 12,240,896 a------- c:\windows\system32\NlsLexicons0007.dll
2009-01-03 13:31 2,644,480 a------- c:\windows\system32\NlsLexicons0009.dll
2009-01-03 13:31 801,280 a------- c:\windows\system32\NaturalLanguage6.dll
2009-01-03 13:29 28,672 a------- c:\windows\system32\Apphlpdm.dll
2009-01-03 13:29 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2009-01-03 13:27 36,864 a------- c:\windows\system32\cdd.dll
2009-01-03 13:27 <DIR> --d----- c:\users\family\appdata\roaming\eSobi
2009-01-03 13:26 738,304 a------- c:\windows\system32\inetcomm.dll
2009-01-03 13:26 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2009-01-03 13:26 288,768 a------- c:\windows\system32\drivers\srv.sys
2009-01-03 13:26 147,456 a------- c:\windows\system32\Faultrep.dll
2009-01-03 13:26 125,952 a------- c:\windows\system32\wersvc.dll
2009-01-03 13:26 303,616 a------- c:\windows\system32\wmpeffects.dll
2009-01-03 13:26 1,645,568 a------- c:\windows\system32\connect.dll
2009-01-03 13:23 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2009-01-03 13:23 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2009-01-03 13:15 1,334,272 a------- c:\windows\system32\msxml6.dll
2009-01-03 13:06 1,524,736 a------- c:\windows\system32\wucltux.dll
2009-01-03 13:06 <DIR> --d----- C:\SiteAdvisor
2009-01-03 13:06 83,456 a------- c:\windows\system32\wudriver.dll
2009-01-03 13:06 162,064 a------- c:\windows\system32\wuwebv.dll
2009-01-03 13:06 31,232 a------- c:\windows\system32\wuapp.exe
2009-01-03 12:56 <DIR> --d----- c:\programdata\Google
2009-01-03 12:55 <DIR> --d----- C:\ACERSW
2009-01-03 12:55 <DIR> --d----- c:\users\family\appdata\roaming\Acer GameZone Console
2009-01-03 12:55 <DIR> --d----- c:\users\Family

==================== Find3M ====================

2009-01-04 13:39 86,016 a------- c:\windows\inf\infstrng.dat
2009-01-04 13:39 51,200 a------- c:\windows\inf\infpub.dat
2009-01-04 13:39 86,016 a------- c:\windows\inf\infstor.dat
2008-11-11 20:00 218,376 a------- c:\windows\system32\klogon.dll
2008-11-11 19:58 25,601 a------- c:\windows\system32\drivers\klopp.dat
2008-11-06 22:38 416,768 a------- c:\program files\poddox.exe
2008-11-01 03:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-11-01 03:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-11-01 03:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-11-01 03:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-11-01 03:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-07 11:33 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 02:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:41:29.68 ===============

Attached Files

BC AdBot (Login to Remove)


#2 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:10:32 AM

Posted 22 January 2009 - 03:37 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma. I appologize for the delay in getting you help.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

It has been a while since you posted your log, if you still want help could you please post a new one?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#3 mablefable

  • Topic Starter

  • Members
  • 4 posts
  • Local time:02:32 PM

Posted 23 January 2009 - 03:25 PM

Hello Hoov,
Thank you for your reply. I have managed to solve the problems on my computer since I posted a request for help. Thank you for getting back and your offer help. It is most appreciated.
Kind regards,

#4 Hoov


  • Malware Response Team
  • 3,519 posts
  • Location:Mikado Michigan
  • Local time:10:32 AM

Posted 24 January 2009 - 05:17 PM

You are welcome! If you need help again, just come on back.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users