Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse Adload_r.AKC


  • This topic is locked This topic is locked
2 replies to this topic

#1 brian8723

brian8723

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:01 AM

Posted 02 September 2010 - 03:50 PM

Hi I have been having problems with my computer for a month now. My IT guy has tried to fix my problem but he was unsuccessful. It first started when i began getting pop up boxes every few minutes saying that Explore.exe was not working properly. My Internet Explorer then did not work. We tried in Safe Mode to do a System Restore but there were no system restore dates available. My IT Guy then disabled Internet Explorer because we could not seem to uninstall IE. Then I recently noticed that every once in a while on Firefox my browser gets hijacked to some advertisement sites. I downloaded a 30 day trial of AVG which expired yesterday which found 6 Trojan Horse Adload_r.AKC instances. AVG could only remove 3 of the 6.

Just noticed Adaware has blocked 205.252.166.169 (port: 80).

Can anyone help me out???
Thanks!

Here is my log
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 4/23/2009 11:09:06 AM
System Uptime: 9/2/2010 8:59:22 AM (8 hours ago)

Motherboard: Hewlett-Packard | | 0968h
Processor: Intel® Pentium® 4 CPU 3.20GHz | XU1 PROCESSOR | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 50.797 GiB free.
D: is CDROM ()
E: is CDROM ()
H: is NetworkDisk (NTFS) - 650 GiB total, 574.548 GiB free.
L: is NetworkDisk (NTFS) - 650 GiB total, 574.548 GiB free.
N: is NetworkDisk (NTFS) - 650 GiB total, 574.548 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP426: 6/5/2010 5:32:05 AM - System Checkpoint
RP427: 6/6/2010 6:32:05 AM - System Checkpoint
RP428: 6/7/2010 7:32:05 AM - System Checkpoint
RP429: 6/8/2010 12:15:38 PM - System Checkpoint
RP430: 6/9/2010 12:32:03 PM - System Checkpoint
RP431: 6/10/2010 2:23:21 PM - System Checkpoint
RP432: 6/14/2010 12:18:43 AM - System Checkpoint
RP433: 6/15/2010 12:20:19 AM - System Checkpoint
RP434: 6/16/2010 1:20:19 AM - System Checkpoint
RP435: 6/17/2010 2:20:18 AM - System Checkpoint
RP436: 6/18/2010 3:20:20 AM - System Checkpoint
RP437: 6/19/2010 4:20:18 AM - System Checkpoint
RP438: 6/20/2010 5:20:17 AM - System Checkpoint
RP439: 6/21/2010 6:20:17 AM - System Checkpoint
RP440: 6/22/2010 7:20:17 AM - System Checkpoint
RP441: 6/23/2010 12:21:22 PM - System Checkpoint
RP442: 6/24/2010 1:20:23 PM - System Checkpoint
RP443: 6/25/2010 4:10:30 PM - System Checkpoint
RP444: 6/26/2010 4:20:22 PM - System Checkpoint
RP445: 6/27/2010 5:20:21 PM - System Checkpoint
RP446: 6/28/2010 6:20:21 PM - System Checkpoint
RP447: 6/29/2010 7:20:22 PM - System Checkpoint
RP448: 6/30/2010 8:20:22 PM - System Checkpoint
RP449: 7/1/2010 8:53:55 PM - System Checkpoint
RP450: 7/6/2010 11:54:11 AM - System Checkpoint
RP451: 7/7/2010 12:02:54 PM - System Checkpoint
RP452: 7/8/2010 12:15:31 PM - System Checkpoint
RP453: 8/3/2010 3:46:11 PM - Installed SLOW-PCfighter.
RP454: 8/3/2010 3:46:16 PM - SLOW-PCfighter Backup
RP455: 7/10/2010 10:02:56 AM - System Checkpoint
RP456: 7/11/2010 11:03:05 AM - System Checkpoint
RP457: 7/12/2010 1:05:38 PM - System Checkpoint
RP458: 7/13/2010 5:15:06 PM - System Checkpoint
RP459: 7/14/2010 5:15:59 PM - System Checkpoint
RP460: 8/3/2010 3:45:50 PM - Removed SLOW-PCfighter.
RP461: 7/16/2010 8:53:42 AM - System Checkpoint
RP462: 7/17/2010 9:53:41 AM - System Checkpoint
RP463: 7/18/2010 10:53:39 AM - System Checkpoint
RP464: 7/19/2010 12:18:21 PM - System Checkpoint
RP465: 7/20/2010 12:53:38 PM - System Checkpoint
RP466: 7/21/2010 1:53:38 PM - System Checkpoint
RP467: 7/22/2010 3:09:13 PM - System Checkpoint
RP468: 7/23/2010 5:15:03 PM - System Checkpoint
RP469: 7/24/2010 5:53:39 PM - System Checkpoint
RP470: 7/25/2010 6:53:36 PM - System Checkpoint
RP471: 7/26/2010 3:54:04 PM - Restore Operation
RP472: 7/27/2010 4:59:09 PM - System Checkpoint
RP473: 7/28/2010 5:41:38 PM - System Checkpoint
RP474: 7/29/2010 6:04:07 PM - System Checkpoint
RP475: 8/2/2010 8:15:50 AM - Installed Windows XP KB915865.
RP476: 8/2/2010 8:16:19 AM - Installed Windows NLSDownlevelMapping.
RP477: 8/2/2010 8:16:45 AM - Installed Windows IDNMitigationAPIs.
RP478: 8/2/2010 8:17:24 AM - Installed Windows Internet Explorer 7.
RP479: 8/2/2010 12:27:32 PM - Restore Operation
RP480: 8/3/2010 12:33:08 PM - Restore Operation
RP481: 8/3/2010 12:36:07 PM - Restore Operation
RP482: 8/3/2010 12:39:08 PM - Restore Operation
RP483: 8/4/2010 9:20:20 AM - Avg Update
RP484: 8/4/2010 3:50:01 PM - Installed Time Zone Data Update Tool for Microsoft Office Outlook
RP485: 8/5/2010 5:14:04 PM - System Checkpoint
RP486: 8/6/2010 4:17:47 PM - Installed HiJackThis
RP487: 8/7/2010 4:47:36 PM - System Checkpoint
RP488: 8/8/2010 5:47:57 PM - System Checkpoint
RP489: 8/9/2010 6:47:38 PM - System Checkpoint
RP490: 8/10/2010 7:37:22 PM - System Checkpoint
RP491: 8/12/2010 10:11:20 AM - System Checkpoint
RP492: 8/13/2010 12:16:51 PM - System Checkpoint
RP493: 8/16/2010 12:19:20 PM - System Checkpoint
RP494: 8/17/2010 12:53:10 PM - System Checkpoint
RP495: 8/18/2010 4:58:31 PM - System Checkpoint
RP496: 8/20/2010 12:25:04 PM - System Checkpoint
RP497: 8/23/2010 12:15:37 PM - System Checkpoint
RP498: 8/24/2010 12:50:49 PM - System Checkpoint
RP499: 8/25/2010 2:29:39 PM - System Checkpoint
RP500: 8/26/2010 5:14:08 PM - System Checkpoint
RP501: 8/27/2010 5:15:27 PM - System Checkpoint
RP502: 8/28/2010 5:40:19 PM - System Checkpoint
RP503: 8/29/2010 5:43:03 PM - System Checkpoint
RP504: 8/30/2010 5:54:10 PM - System Checkpoint
RP505: 8/31/2010 2:17:07 PM - august31, 2010
RP506: 9/1/2010 5:15:38 PM - System Checkpoint
RP507: 9/2/2010 8:48:47 AM - Removed AVG 9.0
RP508: 9/2/2010 9:06:56 AM - Avg Update

==== Installed Programs ======================


ACT!
Adobe Acrobat 9 Pro
Adobe Acrobat 9.3.4 - CPSID_83708
Adobe Flash Player 10 Plugin
AVG 9.0
Broadcom NetXtreme Ethernet Controller
CardMinder V3.0
CCleaner
Compatibility Pack for the 2007 Office system
Google Chrome
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Windows XP (KB954550-v5)
Intel® Graphics Media Accelerator Driver
iSEEK AnswerWorks English Runtime
Java™ 6 Update 15
LightScribe System Software 1.10.27.1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.8)
Nero 7 Essentials
neroxml
PC Playback v2.0(003)
Pop-Up Stopper Free Edition
QuickTime
ScanSnap Manager
ScanSnap Organizer
ScanSoft OmniPage 16
ScanSoft PaperPort 11
SoundMAX
SPAMfighter
Spybot - Search & Destroy
Time Zone Data Update Tool for Microsoft Office Outlook
TurboTax 2009
TurboTax 2009 WinPerFedFormset
TurboTax 2009 WinPerReleaseEngine
TurboTax 2009 WinPerTaxSupport
TurboTax 2009 wnjiper
TurboTax 2009 wpaiper
TurboTax 2009 wrapper
USB2.0 Graphics Card (Trigger) 9.01.0217.0146
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.3
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format Runtime
WinRAR archiver

==== Event Viewer Messages From Past Week ========

9/1/2010 9:23:26 AM, error: Service Control Manager [7034] - The VNC Server Version 4 service terminated unexpectedly. It has done this 1 time(s).
9/1/2010 9:02:24 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
9/1/2010 1:44:45 PM, error: Service Control Manager [7034] - The FLEXnet Licensing Service service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:03 PM, error: Service Control Manager [7034] - The SoundMAX Agent Service service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:03 PM, error: Service Control Manager [7034] - The LightScribeService Direct Disc Labeling Service service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:03 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:03 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:01 PM, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:01 PM, error: Service Control Manager [7034] - The AVG9IDSAgent service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:01 PM, error: Service Control Manager [7034] - The AVG Firewall service terminated unexpectedly. It has done this 1 time(s).
8/31/2010 2:26:01 PM, error: Service Control Manager [7031] - The AVG WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
8/31/2010 12:02:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
8/31/2010 12:02:06 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm
8/31/2010 12:02:04 PM, error: NETLOGON [5719] - No Domain Controller is available for domain KIMANDWRIGHT due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
8/27/2010 8:59:05 AM, error: Service Control Manager [7034] - The WebClient service terminated unexpectedly. It has done this 1 time(s).
8/27/2010 8:59:05 AM, error: Service Control Manager [7034] - The TCP/IP NetBIOS Helper service terminated unexpectedly. It has done this 1 time(s).
8/27/2010 8:59:05 AM, error: Service Control Manager [7034] - The SSDP Discovery Service service terminated unexpectedly. It has done this 1 time(s).
8/27/2010 8:59:05 AM, error: Service Control Manager [7031] - The Remote Registry service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
8/27/2010 8:59:01 AM, error: Service Control Manager [7034] - The Machine Debug Manager service terminated unexpectedly. It has done this 1 time(s).
8/27/2010 8:59:01 AM, error: Service Control Manager [7031] - The Lavasoft Ad-Aware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 5000 milliseconds: Restart the service.
8/27/2010 8:58:44 AM, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
8/27/2010 8:58:43 AM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).
8/27/2010 11:57:50 AM, error: BROWSER [8009] - The browser was unable to promote itself to master browser. The computer that currently believes it is the master browser is KWSERVER.
8/27/2010 11:36:33 AM, error: NetBT [4311] - Initialization failed because the driver device could not be created.
8/27/2010 11:36:33 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
8/27/2010 11:36:33 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
8/27/2010 11:08:13 AM, error: BROWSER [8019] - The browser was unable to promote itself to master browser. The browser will continue to attempt to promote itself to the master browser, but will no longer log any events in the event log in Event Viewer.
8/26/2010 9:21:23 AM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.


BC AdBot (Login to Remove)

 


#2 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 11 September 2010 - 07:00 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process. Please also continue to work with me until I give you the all clear. Even if your computer appears to act better, you may still be infected.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.

Once we start working together, please reply back within 3 days or this thread may be closed so we can help others who are waiting.

We need to create an OTL report,
  • Please download OTL from this link.
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in:

    netsvcs
    msconfig
    drivers32 /all
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\system32\*.sys /90
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\System32\config\*.sav
    %SYSTEMDRIVE%\*.*
    %systemroot%\system32\Spool\prtprocs\w32x86\*.dll
    %systemroot%\*. /mp /s
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32
    ahcix86s.sys
    nvrd32.sys
    user32.dll
    ws2_32.dll
    /md5stop
    %systemroot%\*. /mp /s
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    CREATERESTOREPOINT

  • Click the Quick Scan button.
  • The scan should take a few minutes.
  • Please copy and paste both logs in your reply.

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new OTL log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


In your reply, please post both OTL logs and the GMER log.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 AM

Posted 16 September 2010 - 06:51 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users