Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.agent Download To Windows Temp File


  • Please log in to reply
5 replies to this topic

#1 electron4

electron4

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 01 September 2006 - 11:48 AM

Hi,

It seams every time I enter the internet, an Trojan.AGENT.ue file gets added to my Windows temp file.
I have scanned C: drive with ADware,Bullguard,Spy doctor,Ewido and Spybot s&d, butthey do not show up a problem.
Have I got a problem that is hidden from this lot?

I hope this log file may help with the investigation

All the Best

Darren

Logfile of HijackThis v1.99.1
Scan saved at 17:45:13, on 01/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Psion\PsiWin\Psconsv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Computer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tiscali.co.uk/broadband/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {A6383408-4BAA-8485-D72C-8D0E0C7A8EF1} - C:\WINDOWS\ndkcy1.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nyln1.exe] C:\WINDOWS\TEMP\nyln1.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [BGNewsAgent] "C:\Program Files\BullGuard Software\BullGuard\BgNewsUI.exe"
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PsiWin 2.3 Connection Server .lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD5A4A7-3B84-4E4B-8CFA-61B752C6B011}: NameServer = 85.255.115.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEAF814B-B286-4166-AF5E-338826089E36}: NameServer = 80.225.250.186 80.225.250.178
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 02 September 2006 - 07:46 AM

Hello electron4.

Like to take a look at this log, I'll get back you you as soon as I can.

ourwilly. :thumbsup:

#3 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 04 September 2006 - 11:15 AM

Hello electron4

Copy and Paste this post into a new text document or print it for reference

Step 1.

Please Download and Run this: http://info.prevx.com/download.asp?grab=GROMOZONREMTOOL
[*]It prompts you to download and try the Prevx1 software after you clean the PC, just say no
Please Copy & Paste the Result's of the C:\armada_log.txt in your next reply.


Please Note - You are running "HijackThis" from an unsafe location
To enable any backup we make to be stored safely I would like to recommend you Re-Download a copy of HJTsetup.exe from:
http://www.thespykiller.co.uk/files/HJTsetup.exe

Double click HJTsetup.exe to begin installation.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box uncheck the box to the left of Launch Hijackthis and then click Finish
Do this BEFORE you proceed!


I would like to recommend if you are using The Windows Firewall that you replace it as soon as possible Please choose to install One of these good free firewalls below to fully protect your system anyone of these will give you Full control over everything that requests Internet access a feature not available in the default Windows Firewall

ZoneAlarm
Kerio Personal Firewall
OutPost Firewall Free
Sygate Personal Firewall

Please read: Understanding and Using Firewalls


Step 2.

You may have a Random O4 entry that changes on reboot
Showing in your first log was this entry: O4 - HKLM\..\Run: [nyln1.exe] C:\WINDOWS\TEMP\nyln1.exe
Please note this part of the line: [*****.exe] C:\WINDOWS\TEMP\*****.exe


Now Re-Scan with HijackThis and place a "checkmark" next to this 04 entry

O4 - HKLM\..\Run: [nyln1.exe] C:\WINDOWS\TEMP\nyln1.exe

and select "Fix checked".

It is Important that you "Do NOT" Reboot your system at this point
Re-Open HiJackThis
Click on the "Config..." button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to the Random file that was showing in the HJT log- C:\WINDOWS\TEMP\nyln1.exe
Double click on that file.
HijackThis asks you if you want to "Reboot", now. Click "YES".



Step 3.

Please download FixWareout from one of these sites:
http://forums.subratam.org/index.php?act=A...st&id=43811
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Class - {A6383408-4BAA-8485-D72C-8D0E0C7A8EF1} - C:\WINDOWS\ndkcy1.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BD5A4A7-3B84-4E4B-8CFA-61B752C6B011}: NameServer = 85.255.115.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.6 85.255.112.20

Click Fix Checked. Close HijackThis, and click OK to proceed.

Important!! - Please DO NOT fix this line As it is related to Tiscali:
O17 - HKLM\System\CCS\Services\Tcpip\..\{FEAF814B-B286-4166-AF5E-338826089E36}: NameServer = 80.225.250.186 80.225.250.178

At the end of the fix, you may need to restart your computer again.


Step 4.

Before doing this write down all the settings. Note that not all system/setups even have these settings, While some connection service's will require them.
These instruction's are basically for home users.
Enter your Control Panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically. Make sure the radio dial has the Green Dot in it!!


Go to Start > Run, enter CMD and click OK.

* At the Dos Prompt Screen, type in cd\ and then press <ENTER>.
* Now type in ipconfig /flushdns and then press <ENTER>. (notice the space after ipconfig)
* Close the command prompt window.

Reboot when Finished


Step 5.


Update Ewido Anti-Spyware
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close Ewido.
Note: If you have any problems with the updater, you can Update Ewido Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Reopen Ewido Anti-Spyware and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the Report-Scan.txt to your desktop.
Then Reboot back into Normal Mode


Step 6.

Please Update your Sun Java console

Close any programmes you may have running, ESPECIALLY your web browser
Then using Add/Remove Select any item with Java Runtime Environment (JRE) in the name and uninstall.
please note that All old versions of Java need to be removed as they are a security threat if left installed.


Reboot your computer

Then CLICK HERE select the Download button next to "J2SE Runtime Environment (JRE) 5.0 Update 8"

Posted Image

"Accept" the License Agreement Then choose the First download link Windows Offline Installation, Multi-language

You must Install this version Offline

Reboot your System


Please Re-Scan with Hijack This and post

1/ The new HJT log
2/ The contents of the logfile C:\fixwareout\report.txt
3/ The Ewido Report-Scan.txt
4/ The the C:\armada_log.txt

Thank you,
ourwilly. :thumbsup:

#4 electron4

electron4
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 06 September 2006 - 01:11 PM

Thanks for info,

had some difficulties doing exatly what you said for example:-

step one: I have a paid for firewall via Bullguard, which I think is working is it?

Step two: could not find the specified file c:\windows\temp\nyln.exe to delete, in fact their were no file in temp.

step three: I could not find FIXwareout with the links you gave but did find it on this web site via another link, hope this is ok?
After step two I could not find the file related to tiscali which you said "do not delete", but it seams to have been deleted, I hope this is not to much of a problem?

no prob with rest.

here is the info you requested:-

Logfile of HijackThis v1.99.1
Scan saved at 18:50:24, on 06/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe
C:\Program Files\Eraser\eraser.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Psion\PsiWin\Psconsv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\Psion\PsiWin\Elogerr.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [BGNewsAgent] "C:\Program Files\BullGuard Software\BullGuard\BgNewsUI.exe"
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\BullGuard.exe"
O4 - HKCU\..\Run: [Eraser] C:\Program Files\Eraser\eraser.exe -hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk.disabled
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PsiWin 2.3 Connection Server .lnk = C:\Program Files\Psion\PsiWin\Psconsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe



Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

Misc files.

Checking for older varients covered by the Rem3 tool.




---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 22:51:55 04/09/2006

+ Scan result:



C:\Documents and Settings\Darren\Cookies\darren@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.


::Report end


Removal tool loaded into memory
Gromozon rootkit component not detected - searching for other components
Scanning: C:\WINDOWS
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\ndkcy1.dll
Removed!
Gromozon-Related Malicious Code Detected!
FileName: C:\WINDOWS\system32\bfaa.dll
Removed!
Scanning: C:\Program Files\Common Files
Removing protected file: C:\Program Files\Common Files\System\bqPTE.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\DiNJL.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\HIhk.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\hMvC.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\LEDej.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\nfzk.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\nvG.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\qAYbOW.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ
Removing protected file: C:\Program Files\Common Files\System\YoN.exe
Removing directory: C:\Documents and Settings\\oUveoSluMlxtXJ


Trojan.Gromozon Removed!

Hope this is ok
Thanks for your time
Darren

Edited by electron4, 06 September 2006 - 01:15 PM.


#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:13 AM

Posted 07 September 2006 - 05:38 AM

Hello electron4

First "Thank you" for this information about Bullguard having a Firewall, my first thought's was this was just running Anti-virus protection
and my Link to "FixWareout" now updated..

You seemed to have done a great job at cleaning your system

If everything running fine, then I recommend that you "Disable" and then "Re-Enable" your System Restore

And please "Bookmark" these Tutorials on how to stay safe:

So how did I get infected in the first place
Simple and easy ways to keep your computer safe and secure on the Internet

Thank you,
ourwilly. :thumbsup:

#6 electron4

electron4
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:01:13 PM

Posted 07 September 2006 - 01:53 PM

:thumbsup:

Thanks for help

speak soon

Darren




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users