Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I need help in deleting Trojan virus


  • Please log in to reply
1 reply to this topic

#1 Antonija

Antonija

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:34 PM

Posted 18 July 2009 - 07:38 AM

I have a Trojan virus that I can't delete. Every time I start the computer, my anti-virus finds the Trojan and I delete and disinfect it but after that I must restart my computer and it just continues all over again. I deleted the infected files but there are new all the time in just one folder and I can't delete that folder. My friend told me about ComboFix and I did everything, so here is my log and please if anyone knows how, tell me how to delete this virus.
PS. I don't know, there might be more viruses...

ComboFix 09-07-14.08 - Antonija 07/18/2009 13:57.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.134 [GMT 2:00]
Running from: c:documents and settingsAntonijaDesktopComboFixComboFixComboFix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:docume~1AntonijaLOCALS~1Temp417.exe
c:documents and settingsAntonijaApplication Databcrypt.html
c:documents and settingsAntonijaLocal SettingsTemp417.exe
c:recyclerS-1-5-21-0243336031-4052116379-881863308-0851
c:recyclerS-1-5-21-6307522035-8137552411-964272357-7604
c:recyclerS-1-5-21-6307522035-8137552411-964272357-7604winmap32.exe
c:windowssystem32msssc.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-18 11:18 . 2009-07-18 11:18 -------- d--h--w- c:windowsPIF
2009-07-17 16:11 . 2009-07-17 16:11 -------- d-----w- c:documents and settingsAntonijaLocal SettingsApplication DataIdentities
2009-07-17 16:06 . 2007-10-23 07:27 110592 ----a-w- c:documents and settingsAntonijaApplication DataU3tempcleanup.exe
2009-07-17 16:01 . 2008-05-02 08:41 3493888 ---ha-w- c:documents and settingsAntonijaApplication DataU3tempLaunchpad Removal.exe
2009-07-17 16:01 . 2009-07-17 16:06 -------- d-----w- c:documents and settingsAntonijaApplication DataU3
2009-07-17 01:46 . 2009-07-17 01:46 -------- d-----w- c:program filesMicrosoft
2009-07-17 01:46 . 2009-07-17 01:46 -------- d-----w- c:program filesWindows Live SkyDrive
2009-07-17 00:32 . 2009-07-17 00:32 -------- d-----w- c:documents and settingsAntonijaLocal SettingsApplication DataElectronic Arts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 12:08 . 2009-07-16 15:57 1430048 --sha-w- c:windowssystem32driversfidbox.dat
2009-07-18 12:08 . 2009-07-16 15:57 82976 --sha-w- c:windowssystem32driversfidbox2.dat
2009-07-18 12:07 . 2009-07-16 15:57 23264 --sha-w- c:windowssystem32driversfidbox.idx
2009-07-18 12:07 . 2009-07-16 15:57 10892 --sha-w- c:windowssystem32driversfidbox2.idx
2009-07-18 11:11 . 2009-07-16 15:57 -------- d-----w- c:documents and settingsAll UsersApplication DataKaspersky Lab
2009-07-18 00:20 . 2009-07-16 16:46 -------- d-----w- c:documents and settingsAntonijaApplication DataSkype
2009-07-18 00:15 . 2009-07-16 17:02 -------- d-----w- c:documents and settingsAntonijaApplication DataskypePM
2009-07-17 15:30 . 2009-07-16 15:19 86327 ----a-w- c:windowspchealthhelpctrOfflineCacheindex.dat
2009-07-17 01:46 . 2009-07-16 15:56 64176 ----a-w- c:documents and settingsAntonijaLocal SettingsApplication DataGDIPFONTCACHEV1.DAT
2009-07-17 01:46 . 2009-07-16 16:34 -------- d-----w- c:program filesWindows Live
2009-07-16 17:45 . 2009-07-16 17:45 -------- d-----w- c:program filesElectronic Arts
2009-07-16 17:27 . 2009-07-16 17:27 -------- d-----w- c:program filesCommon FilesWindows Live
2009-07-16 17:16 . 2009-07-16 17:15 1244648 ----a-w- c:documents and settingsAntonijaApplication DataMSNInstallermsnauins.exe
2009-07-16 17:15 . 2009-07-16 17:15 -------- d-----w- c:documents and settingsAntonijaApplication DataMSNInstaller
2009-07-16 17:02 . 2009-07-16 17:02 56 ---ha-w- c:windowssystem32ezsidmv.dat
2009-07-16 16:56 . 2007-10-31 11:41 112144 ----a-w- c:windowssystem32driverskl1.sys
2009-07-16 16:56 . 2009-07-16 15:58 94643 ----a-w- c:windowssystem32driversklick.dat
2009-07-16 16:56 . 2009-07-16 15:58 105395 ----a-w- c:windowssystem32driversklin.dat
2009-07-16 16:56 . 2009-07-16 16:56 25104 ----a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP7DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav67.0.1.321ushata.dll
2009-07-16 16:56 . 2009-07-16 16:56 112144 ----a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP7DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav67.0.1.321X86kl1.sys
2009-07-16 16:56 . 2009-07-16 16:56 772624 ----a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP7DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav67.0.1.321updater.dll
2009-07-16 16:56 . 2009-07-16 16:56 -------- d-----w- c:program filesVIA
2009-07-16 16:56 . 2009-07-16 16:56 150032 ----a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP7DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav67.0.1.321diffs.dll
2009-07-16 16:56 . 2009-07-16 16:56 354832 ----a-w- c:documents and settingsAll UsersApplication DataKaspersky LabAVP7DataUpdaterTemporary FilestemporaryFolderAutoPatcheskav67.0.1.321ckahum.dll
2009-07-16 16:55 . 2009-07-16 15:28 -------- d-----w- c:program filesCommon FilesInstallShield
2009-07-16 16:53 . 2009-07-16 16:53 -------- d-----w- c:program filesAnalog Devices
2009-07-16 16:53 . 2009-07-16 15:29 -------- d--h--w- c:program filesInstallShield Installation Information
2009-07-16 16:45 . 2009-07-16 16:42 -------- d-----r- c:program filesSkype
2009-07-16 16:42 . 2009-07-16 16:42 -------- d-----w- c:program filesCommon FilesSkype
2009-07-16 16:42 . 2009-07-16 16:42 -------- d-----w- c:documents and settingsAll UsersApplication DataSkype
2009-07-16 16:32 . 2009-07-16 16:32 -------- d-----w- c:program filesNeroInstall.bak
2009-07-16 16:31 . 2009-07-16 16:30 -------- d-----w- c:program filesThe KMPlayer
2009-07-16 16:30 . 2009-07-16 16:30 -------- d-----w- c:documents and settingsAntonijaApplication DataNero
2009-07-16 16:28 . 2009-07-16 16:25 -------- d-----w- c:program filesCommon FilesNero
2009-07-16 16:25 . 2009-07-16 16:25 -------- d-----w- c:documents and settingsAll UsersApplication DataNero
2009-07-16 16:25 . 2009-07-16 16:25 -------- d-----w- c:program filesNero
2009-07-16 16:06 . 2009-07-16 16:06 -------- d-----w- c:program filesCommon FilesAdobe
2009-07-16 16:04 . 2009-07-16 16:02 -------- d-----w- c:program filesCanon
2009-07-16 15:57 . 2009-07-16 15:57 -------- d-----w- c:program filesKaspersky Lab
2009-07-16 15:55 . 2009-07-16 15:55 -------- d-----w- c:documents and settingsAll UsersApplication DataKaspersky Lab Setup Files
2009-07-16 15:50 . 2009-07-16 15:50 0 ----a-w- c:windowsnsreg.dat
2009-07-16 15:37 . 2009-07-16 15:37 -------- d-----w- c:program filesCommon FilesL&H
2009-07-16 15:37 . 2009-07-16 15:37 -------- d-----w- c:program filesMicrosoft.NET
2009-07-16 15:36 . 2009-07-16 15:36 -------- d-----w- c:program filesMicrosoft ActiveSync
2009-07-16 15:35 . 2009-07-16 15:35 -------- d-----w- c:program filesMicrosoft Works
2009-07-16 15:31 . 2009-07-16 15:31 -------- d-----w- c:documents and settingsAll UsersApplication DatanView_Profiles
2009-07-16 15:21 . 2009-07-16 15:21 -------- d-----w- c:program filesmicrosoft frontpage
2009-07-16 15:17 . 2009-07-16 15:17 21640 ----a-w- c:windowssystem32emptyregdb.dat
2009-06-24 13:26 . 2009-07-16 15:50 137208 ----a-w- c:program filesmozilla firefoxcomponentsbrwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun]
"ctfmon.exe"="c:windowssystem32ctfmon.exe" [2008-04-14 15360]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:program filesCommon FilesNeroLibNMIndexStoreSvr.exe" [2008-02-28 1828136]
"msnmsgr"="c:program filesWindows LiveMessengermsnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:program filesMessengermsmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"NvCplDaemon"="c:windowssystem32NvCpl.dll" [2004-10-29 4620288]
"NvMediaCenter"="c:windowssystem32NvMcTray.dll" [2004-10-29 86016]
"Adobe Reader Speed Launcher"="c:program filesAdobeReader 8.0ReaderReader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="c:program filesCommon FilesNeroLibNeroCheck.exe" [2008-02-28 570664]
"NBKeyScan"="c:program filesNeroNero8Nero BackItUpNBKeyScan.exe" [2008-02-18 2221352]
"Smapp"="c:program filesAnalog DevicesSoundMAXSMTray.exe" [2003-05-05 143360]
"nwiz"="nwiz.exe" - c:windowssystem32nwiz.exe [2004-10-29 921600]

c:documents and settingsAll UsersStart MenuProgramsStartup
VIA RAID TOOL.lnk - c:program filesVIARAIDraid_tool.exe [2009-7-16 565248]

[HKEY_LOCAL_MACHINEsoftwaremicrosoftsecurity centerMonitoringKasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM~servicessharedaccessparametersfirewallpolicystandardprofileAuthorizedApplicationsList]
"%windir%Network Diagnosticxpnetdiag.exe"=
"%windir%system32sessmgr.exe"=
"c:Documents and SettingsAll UsersApplication DataKaspersky Lab Setup FilesKaspersky Internet Security 7.0.1.325Englishsetup.exe"=
"c:WINDOWSsystem32CNAB4RPK.EXE"=
"c:Program FilesWindows LiveMessengermsnmsgr.exe"=
"c:Program FilesMessengermsmsgs.exe"=
"c:Program FilesSkypePhoneSkype.exe"=

R0 viasraid;viasraid;c:windowssystem32driversviasraid.sys [7/16/2009 6:56 PM 77056]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:windowssystem32driversklim5.sys [12/13/2007 1:28 PM 24592]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:progra~1MICROS~2OFFICE11EXCEL.EXE/3000
FF - ProfilePath - c:documents and settingsAntonijaApplication DataMozillaFirefoxProfilesx104fshn.default
FF - prefs.js: browser.startup.homepage - google.com
FF - component: c:program filesMozilla Firefoxextensions{B13721C7-F507-4982-B2E5-502A71474FED}componentsNPComponent.dll

---- FIREFOX POLICIES ----
c:program filesMozilla Firefoxgreprefsall.js - pref("media.enforce_same_site_origin", false);
c:program filesMozilla Firefoxgreprefsall.js - pref("media.cache_size", 51200);
c:program filesMozilla Firefoxgreprefsall.js - pref("media.ogg.enabled", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("media.wave.enabled", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("media.autoplay.enabled", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("browser.urlbar.autocomplete.enabled", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:program filesMozilla Firefoxgreprefsall.js - pref("dom.storage.default_quota", 5120);
c:program filesMozilla Firefoxgreprefsall.js - pref("content.sink.event_probe_rate", 3);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.http.prompt-temp-redirect", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("layout.css.dpi", -1);
c:program filesMozilla Firefoxgreprefsall.js - pref("layout.css.devPixelsPerPx", -1);
c:program filesMozilla Firefoxgreprefsall.js - pref("gestures.enable_single_finger_input", true);
c:program filesMozilla Firefoxgreprefsall.js - pref("dom.max_chrome_script_run_time", 0);
c:program filesMozilla Firefoxgreprefsall.js - pref("network.tcp.sendbuffer", 131072);
c:program filesMozilla Firefoxgreprefsall.js - pref("geo.enabled", true);
c:program filesMozilla Firefoxgreprefssecurity-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:program filesMozilla Firefoxdefaultspreffirefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("extensions.blocklist.level", 2);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.urlbar.restrict.typed", "~");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.urlbar.default.behavior", 0);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.history", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.cache", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.history", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.formdata", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.passwords", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.downloads", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.cookies", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.cache", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.sessions", true);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.offlineApps", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.cpd.siteSettings", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.ssl_override_behavior", 2);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.autostart", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:program filesMozilla Firefoxdefaultspreffirefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 14:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:program filesKaspersky LabKaspersky Internet Security 7.0miscr3.dll
c:windowssystem32klogon.dll

- - - - - - - > 'lsass.exe'(1004)
c:program filesKaspersky LabKaspersky Internet Security 7.0dnsq.dll
c:program filesKaspersky LabKaspersky Internet Security 7.0miscr3.dll
c:program filesKaspersky LabKaspersky Internet Security 7.0fssync.dll

- - - - - - - > 'explorer.exe'(2576)
c:program filesKaspersky LabKaspersky Internet Security 7.0miscr3.dll
c:program filesKaspersky LabKaspersky Internet Security 7.0fssync.dll
c:program filesKaspersky LabKaspersky Internet Security 7.0scrchpg.dll
c:windowssystem32msi.dll
.
------------------------ Other Running Processes ------------------------
.
c:program filesKaspersky LabKaspersky Internet Security 7.0avp.exe
c:program filesCommon FilesMicrosoft SharedVS7DEBUGMDM.EXE
c:program filesNeroNero8Nero BackItUpNBService.exe
c:windowssystem32nvsvc32.exe
c:windowssystem32IoctlSvc.exe
c:program filesAnalog DevicesSoundMAXSMAgent.exe
c:windowssystem32wdfmgr.exe
c:windowssystem32rundll32.exe
c:windowssystem32wscntfy.exe
c:program filesCommon FilesNeroLibNMIndexingService.exe
c:windowssystem32CNAB4RPK.EXE
.
**************************************************************************
.
Completion time: 2009-07-18 14:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 12:11

Pre-Run: 27,027,468,288 bytes free
Post-Run: 26,976,915,456 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)WINDOWS
[operating systems]
c:cmdconsBOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

221

Oh I just saw what type Trojan it was :
Trojan-GameThief.Win32.OnlineGames.bmml

Merged posts. ~ OB

Edited by Orange Blossom, 24 July 2009 - 07:45 PM.


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:34 AM

Posted 28 July 2009 - 08:41 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users