Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.haxdoor.ie


  • This topic is locked This topic is locked
17 replies to this topic

#1 Mishiroro

Mishiroro

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 25 April 2006 - 04:00 PM

Hello. I'm using Windows XP Professional, and I'm pretty sure that I have the Backdoor.Haxdoor.ie trojan/virus. I have tried unsuccessfully to get rid of it and would now like some assistance in removing it. I believe it is preventing me from running or using certain programs.

Here is my latest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:41:30 PM, on 25/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINDOWS\update\updmgr.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{B094B410-CB48-44A2-B338-7C69F9FF9FE8}: NameServer = 206.47.244.51 206.47.244.110
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVyZ2lhbg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Microsoft Windows Validation Service (Windows Validation Service) - Unknown owner - C:\WINDOWS\devldr32.exe (file missing)
O23 - Service: wins(WINS) (wins) - Unknown owner - C:\WINDOWS\system32\winscntrl.exe (file missing)


I also have an ewido security suite report as well if it's needed.

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 26 April 2006 - 12:13 PM

Hello and welcome.. :thumbsup: And yes, you have Haxdoor infection.

Please download Haxfix.exe:
  • Save it to your desktop.
  • Double-click on haxfix.exe to install haxfix. (standard installation path is C:\Program Files\haxfix)
  • Checkmark "Create a desktop icon".
  • Click "Next".
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
  • Click "Finish".
  • A red "dos window" (dos box) will open.
  • Select option 1. Make logfile by typing 1 and then pressing Enter.
  • Haxfix will start scanning the computer. When it is finished a logfile will open.
  • Copy the contents of that logfile and paste it into this thread.

Hi there, stranger!

#3 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 26 April 2006 - 01:52 PM

Thank you very much. Here is the logfile:

HAXFIX logfile - by Marckie
--------------
version 2.31
26/04/2006 14:49:40.04

checking for ps.a3d....
ps.a3d is present!

checking for p2s2.a3d....
p2s2.a3d not found

checking for matching notify keys....
matching notify keys found
xptp

checking for matching services....
matching services found
xptptt
xptpmm

checking for matching safeboot services....
matching safeboot services found
xptptt.sys
xptpmm.sys

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 27 April 2006 - 08:31 AM

Option 3 Manual fix:
  • Open the following folder: C:\Program Files\Haxfix\
  • Double-click on Fix.bat.
  • Close all other open windows since this step requires a reboot.
  • Select option 3. Run manu fix by typing 3 and then pressing Enter.
This message will appear:

echo Insert the haxdoorkey,
and then press Enter:

  • Type the following: xptp
    When this is a valid choice, the key will be added to delete.
  • There is the possibility to add a new key: Yes (type Y) or No (type N).
    Followed by this message:

    Haxdoorkey xptp added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:

  • Type N for No and press Enter
  • The computer will reboot
  • After reboot a logfile will open > (c:\haxfix.txt)
  • Post the contents of the logfile together with a new HijackThis log. :thumbsup:

Hi there, stranger!

#5 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 27 April 2006 - 05:03 PM

Ok. I don't think the haxfix log saved after the reboot because all that is on the log is this:

HAXFIX logfile - by Marckie
--------------
version 2.31
27/04/2006 16:12:58.51

Manual Haxdoorfix

Adding haxdoorkeys to delete...




However, here is the hijackthis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 4:21:06 PM, on 27/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVyZ2lhbg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Network Security Service (lsass) - Unknown owner - C:\WINDOWS\system\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe
O23 - Service: Microsoft Windows Validation Service (Windows Validation Service) - Unknown owner - C:\WINDOWS\devldr32.exe (file missing)
O23 - Service: wins(WINS) (wins) - Unknown owner - C:\WINDOWS\system32\winscntrl.exe (file missing)


I'm not sure what happened to the logfile, but everything seems to be working now. Thanks for the help. :thumbsup:

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 28 April 2006 - 06:43 AM

Not quite clean yet, I'm afraid.

Click Start -> Run and type in:

services.msc

Click "OK".

In the services window find services (one at-a-time); Windows Update Manager
wins(WINS)
Microsoft Windows Validation Service
Windows Network Security Service


Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok" (for each service at-a-time). Exit the Services utility.

==

Now lets delete them:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete an NT service"
  • Copy and paste this in: wins
  • Click "no", then put in each of the following services for deletion:
    • lsass
      UpdateManager
      Windows Validation Service
  • When you get to the last one, hit "OK" on the prompt and reboot.
==

After reboot, install an Anti-virus software:

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

==

Finally post back with a fresh HijackThis log. :thumbsup:
Hi there, stranger!

#7 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 28 April 2006 - 04:22 PM

Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 5:19:14 PM, on 28/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Userinit.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\update\updmgr.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager] C:\WINDOWS\update\updmgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{B094B410-CB48-44A2-B338-7C69F9FF9FE8}: NameServer = 206.47.244.51 206.47.244.110
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QmVyZ2lhbg\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 29 April 2006 - 03:20 AM

That does look better :thumbsup:

==

Please run a scan with HijackThis and check the following object for removal:

O4 - HKLM\..\Run: [Microsoft ® Windows Update Manager] C:\WINDOWS\update\updmgr.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Click Start -> Run and type in:

services.msc

Click "OK".

In the services window find service; Windows Update Manager

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.

==

Then delete it:
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete an NT service"
  • Copy and paste this in: UpdateManager
  • Click "ok", then reboot
==

Please download delcmdservice (by Marckie), and save it to your Desktop.
  • Unzip the content to your Desktop (a folder named delcmdservice)
Don't do anything with it yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Once in Safe Mode, delete this file if present:

C:\WINDOWS\update\updmgr.exe

Empty recycle bin.

==

Run delcmdservice:
  • Double-click on the delcmdservice folder
  • Double-click on delreg.bat to launch the tool
  • When the tool has finished, please reboot your computer into Normal Windows.
==

Post back with a fresh HijackThis log. :flowers:
Hi there, stranger!

#9 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 29 April 2006 - 06:12 PM

Logfile of HijackThis v1.99.1
Scan saved at 7:09:58 PM, on 29/04/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{B094B410-CB48-44A2-B338-7C69F9FF9FE8}: NameServer = 206.47.244.51 206.47.244.110
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Update Manager (UpdateManager) - Unknown owner - C:\WINDOWS\update\updmgr.exe (file missing)

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 30 April 2006 - 08:32 AM

Are you doing everything exactly as I ask you to? :thumbsup:

Go ahead and delete HaxFix.

Seems like we need to get around one service differently.

==

Please copy the following text in the quotebox below (starting from @echo off..) to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop "Windows Update Manager"
sc delete UpdateManager


Double-click on Removeservice.bat. A window will pop up and close. This is normal. Please reboot.

==

Post back with a fresh HijackThis log and do this:

Please download and save Blacklight to your desktop:
  • Double-click blbeta.exe.
  • Accept the agreement.
  • Click Scan.
  • Click Next.
You'll see a list of all items found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there. :flowers:
Hi there, stranger!

#11 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 01 May 2006 - 01:49 PM

05/01/06 14:46:06 [Info]: BlackLight Engine 1.0.36 initialized
05/01/06 14:46:06 [Info]: OS: 5.1 build 2600 (Service Pack 1)
05/01/06 14:46:06 [Note]: 7019 4
05/01/06 14:46:06 [Note]: 7005 0
05/01/06 14:46:09 [Note]: 7006 0
05/01/06 14:46:09 [Note]: 7011 264
05/01/06 14:46:09 [Note]: 7026 0
05/01/06 14:46:09 [Note]: 7026 0
05/01/06 14:46:11 [Note]: FSRAW library version 1.7.1015
05/01/06 14:47:00 [Note]: 7007 0



Logfile of HijackThis v1.99.1
Scan saved at 2:47:55 PM, on 01/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O17 - HKLM\System\CCS\Services\Tcpip\..\{B094B410-CB48-44A2-B338-7C69F9FF9FE8}: NameServer = 206.47.244.51 206.47.244.110
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 02 May 2006 - 01:41 AM

Well finally! :thumbsup:

Now to check what's left if any.. Go ahead and delete BlackLight.

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report.

Hi there, stranger!

#13 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 02 May 2006 - 02:15 PM

Incident Status Location

Adware:Adware/PurityScan Not disinfected c:\progra~1\sstem~1\spoolsv.exe
Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
Adware:adware/purityscan Not disinfected c:\windows\system32\wtssvtr.exe
Adware:adware/secure32 Not disinfected c:\program files\secure32.html
Adware:adware/vog Not disinfected c:\program files\internet explorer\winbrume.dat
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Mishiroro\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/dollarrevenue Not disinfected c:\windows\teller2.chk
Adware:adware/deskwizz Not disinfected c:\windows\dh.ini
Adware:adware/maxifiles Not disinfected c:\program files\common files\InetGet
Adware:adware/popper Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/gimmy Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\xqpocrdm.dll
Adware:Adware/CommAd Not disinfected C:\WINDOWS\Temp\cmdinst.exe
Adware:Adware/Sqwire Not disinfected C:\WINDOWS\Temp\tsinstall_4_0_4_0_b4.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\Temp\u13.tmp
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Temp\!update.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\QmVyZ2lhbg\kApVtZ51v0.vbs
Adware:Adware/SearchAid Not disinfected C:\WINDOWS\uninstall_nmon.vbs
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\l2mfix\Process.exe
Adware:Adware/Vog Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\PLLNU36E\waiutedyxj[1].txt
Adware:Adware/CommAd Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MIO2XI3T\installer[2].exe
Adware:Adware/Yazzle Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z4UWBVVA\SnowballWarsInstaller[1].exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z4UWBVVA\!update-3720[1].0000
Adware:Adware/Vog Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z4UWBVVA\hweqcb[1].txt
Spyware:Cookie/WinFixer Not disinfected C:\Documents and Settings\Bergiann\Local Settings\Temp\Cookies\bergiann@winfixer[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bergiann\Desktop\lilypad\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bergiann\Desktop\lilypad\l2mfix.exe[l2mfix/Process.exe]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bergiann\Cookies\bergiann@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Bergiann\Cookies\bergiann@doubleclick[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Bergiann\Application Data\Mozilla\Firefox\Profiles\gp0xlkwf.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Bergiann\Application Data\Mozilla\Firefox\Profiles\gp0xlkwf.default\cookies.txt[.2o7.net/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Bergiann\Application Data\Mozilla\Firefox\Profiles\gp0xlkwf.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bergiann\Application Data\Mozilla\Firefox\Profiles\gp0xlkwf.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Bergiann\Application Data\Mozilla\Firefox\Profiles\gp0xlkwf.default\cookies.txt[.mediaplex.com/]

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:02 PM

Posted 03 May 2006 - 07:50 AM

Not much left.. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download and run this uninstaller:

OiUninstaller.exe

Then delete this folder if present:

C:\Program Files\PurityScan

==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

==

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract Avenger.exe to your desktop.
2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
c:\windows\system32\atmtd.dll
c:\windows\system32\tsuninst.exe
c:\windows\system32\wtssvtr.exe
c:\program files\secure32.html
c:\program files\internet explorer\winbrume.dat
c:\windows\teller2.chk
c:\windows\dh.ini
C:\WINDOWS\system32\i
C:\WINDOWS\system32\xqpocrdm.dll
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\pf78.exe

Folders to delete:
C:\WINDOWS\QmVyZ2lhbg\
c:\program files\common files\InetGet


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to the notepad file into this window
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it briefly opens a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply. :flowers:
Hi there, stranger!

#15 Mishiroro

Mishiroro
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 03 May 2006 - 10:14 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mjktijoa

*******************

Script file located at: \??\C:\rudhvkhx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File c:\windows\system32\atmtd.dll deleted successfully.
File c:\windows\system32\tsuninst.exe deleted successfully.


File c:\windows\system32\wtssvtr.exe not found!
Deletion of file c:\windows\system32\wtssvtr.exe failed!

Could not process line:
c:\windows\system32\wtssvtr.exe
Status: 0xc0000034

File c:\program files\secure32.html deleted successfully.
File c:\program files\internet explorer\winbrume.dat deleted successfully.
File c:\windows\teller2.chk deleted successfully.
File c:\windows\dh.ini deleted successfully.


File C:\WINDOWS\system32\i not found!
Deletion of file C:\WINDOWS\system32\i failed!

Could not process line:
C:\WINDOWS\system32\i
Status: 0xc0000034

File C:\WINDOWS\system32\xqpocrdm.dll deleted successfully.
File C:\WINDOWS\uninstall_nmon.vbs deleted successfully.
File C:\WINDOWS\pf78.exe deleted successfully.
Folder C:\WINDOWS\QmVyZ2lhbg deleted successfully.
Folder c:\program files\common files\InetGet deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of HijackThis v1.99.1
Scan saved at 11:12:42 PM, on 03/05/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\netbtd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B094B410-CB48-44A2-B338-7C69F9FF9FE8}: NameServer = 206.47.244.51 206.47.244.110
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users