Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Found Please Help


  • This topic is locked This topic is locked
6 replies to this topic

#1 shellybelly

shellybelly

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 05 February 2007 - 09:05 PM

My NOD32 found a trojan. More specifically a downloader it seems to be downloading new applications every 20 minutes or so. I've run NOD, Ewido and Spybot can't get rid of it.

Here's my Hijack This log Please help!!!

Logfile of HijackThis v1.99.1
Scan saved at 8:59:37 PM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\update00822631.exe
C:\Documents and Settings\Owner\~tmp0374.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2127168E-5D2D-4037-2628-0A9C1D370003} - C:\WINDOWS\jttvq1.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [BHR4.1] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136242003\ee\AOLSoftware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - C:\WINDOWS\system32\update00822631.exe
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - C:\Documents and Settings\Owner\~tmp0374.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

Edited by shellybelly, 05 February 2007 - 10:36 PM.


BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:17 PM

Posted 07 February 2007 - 10:09 AM

Hi shellybelly,

Welcome to Bleeping Computer. :thumbsup:

Please print out these instructions as we will be going into safe mode.

Ewido 4.0 has been superseded by AVG Antispyware 7.5, which reflects the merger of Ewido with Grisoft, the makers of AVG antivirus. The program has undergone more than a name change, though; it has significantly improved capabilities expecially in the area of malware removal. You should upgrade to the new version.

First, uninstall Ewido:Click Start, then Control Panel, the double click Add or Remove Programs.

Scroll down to Ewido and select it. Click Remove.

To the "Are You Sure" warning popup, click Yes.

Ewido should now uninstall. When it is finished click OK. On some computers it may ask to reboot, if so allow it.
Next, install AVG-AS: Open your browser and go to This page. Read the information regarding the paid and free versions of the program, then at the bottom of the page click the orange box labeled Download Now. Save the AVG-AS setup file to your desktop. Close your browser.

Double click the AVGAS setup icon. Unless you need to change the language first, click OK, then Next.

On the License agreement screen click I Agree. Then accept the default installation folder by clicking Next.

Finally, click Install. The program will then copy files and register itself; when it tells you it is installed, click Finish.

AVG-AS 7.5 will open. On the Status screen you will see a line Last Update ! Never. On that line click Update Now.

After the program updates, you may want to change the Auto Updates options. The default is to check for updates every 60 minutes, which you may feel is excessive. Note that after the 30 day trial period, Auto Updates is disabled unless you pay for the program.

Now click the Scanner icon at the top of the window. Click the Settings tab. When that screen opens select the radio button Automatically produce a report after every scan. Uncheck the box Only if threats were found.

On the same screen, under "How to Act", click on Recommended Actions. Select Quarantine.

Leave the other settings on that screen at their defaults.

Close the program. This will save the settings changes. Do not run a scan yet.
Next, get ATF Cleaner here . It does not require installation, just download it to your desktop. Do not run it yet.

Viewpoint is considered foistware rather than spyware, because it is usually installed without the user's knowledge or consent. If you wish to continue using it you can keep it, but otherwise I suggest you remove it.

Click Start, Control Panel, then double click Add or Remove Programs.
When the list is populated, scroll down and click Remove on any Viewpoint entries that you find.

Next, we need to show all Hidden Files:

1. Close all programs so that you are at your desktop.
2. Click Start, My Computer .
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and close out My Computer.
9. Now your computer is configured to show all hidden files.
Now, open HijackThis and run a scan. Close all other windows on your desktop, and make sure the only program in your taskbar is HijackThis.

Now, place a check next to the following lines:R3 - Default URLSearchHook is missing
O2 - BHO: Class - {2127168E-5D2D-4037-2628-0A9C1D370003} - C:\WINDOWS\jttvq1.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - C:\WINDOWS\system32\update00822631.exe
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - C:\Documents and Settings\Owner\~tmp0374.exe

Click Fix checked.

Now, click the Config button in the lower right hand corner of the HijackThis window. When the Configuration window opens, click Misc Tools. The screen will change, you will see a list of System Tools, click Delete an NT Service. A small window will open with a text box. Copy and paste the following line into it:

msieupdater

Click OK. Then Click Yes to confirm the deletion. If you get an error message, make a note of it and report it in your next post.

Do the same with the following line:

ieupdater2

Close HijackThis.

Now, Boot into Safe Mode:

If you don't know how to do this, here are two ways:

F8 Method
  • Restart your computer.
  • When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a menu.
  • When you have the menu on the screen. Use the arrow keys to move to the line that says Safe Mode.
  • Then press <Enter> on your keyboard to boot into Safe Mode.
Bootsafe utility

If the F8 method does not work, you can download this program: Bootsafe.exe. Download the .exe file (not the zip file) directly to your desktop, it requires no installation. To use it, double click the program icon, then select the radio button Safe Mode - Minimal and click on the Reboot button.

In Safe Mode, use Windows explorer to navigate to and delete the following files:

C:\WINDOWS\jttvq1.dll
C:\WINDOWS\system32\update00822631.exe
C:\Documents and Settings\Owner\~tmp0374.exe


If any of the files are missing, make a note of it and just move on the the next one.

Next,scan with AVG AntiSpyware:Double click the AVG-AS 7.5 icon on your desktop to start the program

Click the Scan tab. When the screen opens, select Complete System Scan. This action will take some time.

When the scan is finished, scroll through the list. Except for cookies, which should be set to Delete, every item should be set to Quarantine. If this is not the case, change it.

Now click Apply All Actions. Then click Save Report. On the screen that opens, click Save Report As, and in the Report save as... window navigate to and select your Desktop. You may want to rename the report file to something such as AVGAS_scan01.txt that will make it easier to recognize.

Close the program.
.

Reboot back into normal mode:

If you used the F8 method, Windows should automatically reboot into normal mode when you restart it. If you used Bootsafe, open the program and select the Normal Mode radio button, then click Reboot.

Now, remove temporary files and folders:

Double-click the ATFCleaner icon on your desktop to launch the program. For this first run, check the select all box on the main page, then click Empty selected. Then, if you use Firefox or Opera, click on the appropriate tab and repeat the same drill.

Finally, run another HijackThis scan.

Copy and paste that log, along with the AVG-Antispyware log, to a reply here. Let me know if you had any problems with any steps in the fix. Also, how is the computer running?

Good luck,

Dave

Edited by DaveM59, 07 February 2007 - 10:11 AM.


#3 shellybelly

shellybelly
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 07 February 2007 - 11:33 PM

(quoted the old message here by mistake, I checked in from work and noticed that. I couldn't see the reply buttons at home as IE will not show pictures or link buttons at the moment.) Deleted quote for space, sorry.

Edited by shellybelly, 08 February 2007 - 10:04 AM.


#4 shellybelly

shellybelly
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:17 PM

Posted 07 February 2007 - 11:36 PM

Ok well this morning the power flashed and the computer rebooted before I got to do all this. My husband noticed this afternoon that no pictures links will show up online. They all look like borken links.

During the steps you said the following were not there to delete:

msieupdater
ieupdater
C:\WINDOWS\jttvq1.dll


Here's the HiJack This log and AVG log

Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 11:30:36 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: C:\WINDOWS\system32\zvZoCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\zvZoCrypt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [BHR4.1] C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.1\BHR4.1.exe
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1136242003\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://www.winkflash.com/photo/loaders/ImageUploader3.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - C:\WINDOWS\system32\update00822631.exe (file missing)
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - C:\Documents and Settings\Owner\~tmp0374.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:24:46 PM 2/7/2007

+ Scan result:



C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\loader[2] -> Backdoor.Small.nr : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\rd[1].htm -> Downloader.Agent.avf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026407.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026408.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026409.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026410.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026411.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026412.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026413.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026414.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026415.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026416.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026417.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026418.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026419.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026420.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026421.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026422.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026423.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026424.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026425.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP146\A0026426.exe -> Downloader.Agent.ber : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[10] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[11] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[13] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[14] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[15] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[16] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[17] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[18] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[19] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[1] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[20] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[22] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[23] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[24] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[3] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[4] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[5] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[6] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[8] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2HYFOJQH\nldr[9] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[10] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[11] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[12] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[13] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[14] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[16] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[18] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[19] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[1] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[3] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[4] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[5] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[6] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[7] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\6FY9GZMP\nldr[8] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[10] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[11] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[12] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[13] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[15] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[1] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[3] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[4] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[6] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[7] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[8] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IPUHELA3\nldr[9] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[10] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[11] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[12] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[13] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[14] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[15] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[1] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[2] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[3] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[4] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[5] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[6] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[7] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[8] -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\JTS5BTEZ\nldr[9] -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update21677000.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update39446154.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update66232247.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update94083845.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\svchost.exe -> Proxy.Small.ck : Cleaned with backup (quarantined).
C:\WINDOWS\system32\zDfop.dll -> Proxy.Small.ck : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP145\A0024387.exe -> Trojan.Crypt.g : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP145\A0026370.exe -> Trojan.Crypt.g : Cleaned with backup (quarantined).
C:\WINDOWS\system32\update34216966.exe -> Trojan.Crypt.g : Cleaned with backup (quarantined).


::Report end

#5 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:17 PM

Posted 08 February 2007 - 02:56 PM

Hi again Shellybelly,

Don't worry about the C:\WINDOWS\jttvq1.dll file. HijackThis said it was gone, but sometimes it makes mistakes and I wanted you to check.

Regarding the two services I asked you to delete, that was a brain cramp. :thumbsup: I gave you the wrong names. I also left out some lines that I should have asked you to fix with HijackThis. In addition, seem to have picked up a new infection, a spamming trojan.

Let's take another shot at those steps.

First, print these instructions.

Then, you'll have to disable AVG AntiSpyware's Shield. It may interfere with the fix.

Open AVG Antispyware and in the main window click Resident Shield, then toggle the AVG Anti-Spyware active protection 'off' by clicking Change state which will then change the protection status to inactive.

Open HijackThis, and run a scan. Place a check next to the following lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
O2 - BHO: C:\WINDOWS\system32\zvZoCrypt.dll - {8A5849C4-93F3-429D-FF34-660A2068897C} - C:\WINDOWS\system32\zvZoCrypt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O23 - Service: msieupdater (Microsoft IE Updater) - Unknown owner - C:\WINDOWS\system32\update00822631.exe (file missing)
O23 - Service: ieupdater2 (Microsoft IE Updater2) - Unknown owner - C:\Documents and Settings\Owner\~tmp0374.exe (file missing)


Then close all programs except HJT, and click Fix checked.

Then click the Config button in the lower right hand corner of the HijackThis window. When the Configuration window opens, click Misc Tools. The screen will change, you will see a list of System Tools, click Delete an NT Service. A small window will open with a text box. Copy and paste the following line into it:

Microsoft IE Updater

If the Service Delete tool finds the service it will ask you to confirm the deletion. Just click Yes.

If it won't let you delete the service or cannot find it, please report the error message.

Do the same with this one:

Microsoft IE Updater2


Download SDFix and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(this is the drive that contains the Windows Directory, typically C:\SDFix). DO NOT use it just yet.

Reboot the computer into Safe Mode.

Delete the following files:

C:\WINDOWS\system32\zvZoCrypt.dll
C:\WINDOWS\system32\rpcc.dll


Let me know if you can't find one or both of these files.

Open the SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts, the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt in your next reply along with a new HijackThis log.
Good luck,

Dave

Edited by DaveM59, 08 February 2007 - 03:24 PM.


#6 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:17 PM

Posted 11 February 2007 - 10:24 AM

Hi Shellybelly, anything to report?

#7 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:12:17 PM

Posted 18 February 2007 - 08:59 PM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users