Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Horse - Help


  • This topic is locked This topic is locked
2 replies to this topic

#1 bullparade

bullparade

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:09:00 AM

Posted 07 March 2007 - 11:37 PM

i have a trojan horse. bit defender reports the following:

Infected with Trojan.Agent.XC

I can't open ANYTHING except IE, and was somehow able to run "silent runners" vb script. the output is below. Please help!

"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"DellSupport" = ""C:\Program Files\Dell Support\DSAgnt.exe" /startup" ["Gteko Ltd."]
"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]
"ScanRegistry" = "C:\Program Files\Common Files\update\update.exe" [file not found]
"RealUpdate" = "C:\WINDOWS\System32\update/Update.exe" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"KernelCheck" = "C:\WINDOWS\System32\winmer.exe" [file not found]
"9" = "C:\WINDOWS\System32\vpcrm.exe" [file not found]
"wk" = "C:\WINDOWS\1beif20.exe" ["*****" (unwritable string)]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"nwiz" = "nwiz.exe /installquiet" ["NVIDIA Corporation"]
"NAV Agent" = "C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"HP Software Update" = ""C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"" ["Hewlett-Packard Company"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"wk" = "C:\WINDOWS\System32\1beff20.exe" ["*****" (unwritable string)]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}\(Default) = "Outlook Express"
\StubPath = "C:\WINDOWS\system32\shmgrate.exe OCInstallUserConfigOE" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Adobe PDF Reader Link Helper"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" [null data]
{A4D90779-6CB2-4752-83C2-A2AB4D9A672D}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AuthBHO.cBHO"
\InProcServer32\(Default) = "C:\Program Files\Cox\Applications\app\AuthBHO.dll" ["Authentium, Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {HKLM...CLSID} = "CNavExtBho Class"
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {HKLM...CLSID} = "Desktop Explorer"
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {HKLM...CLSID} = "Microsoft Office Binder Unbind"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Objects"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
-> {HKLM...CLSID} = "NetWare Hood Verbs"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
<<!>> "{5D06580A-08EB-4DD0-8425-DDBB5198B30C}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Internet Explorer\PLUGINS\CDown.sys" [null data]
<<!>> "{CF49F9F2-A8D3-464F-83EC-6AFC6573C267}" = (no title provided)
-> {HKLM...CLSID} = "Wqrndrws40da"
\InProcServer32\(Default) = "C:\WINDOWS\System32\pp4.dll" [file not found]
<<!>> "{8935DC18-DC18-9354-1893-C1835C189354}" = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\MSINFO\DC189354.dll" [file not found]

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\
"load" = (value not set)

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
<<!>> "Shell" = "Explorer.exe 1" [MS], [file not found]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
-> {HKLM...CLSID} = "NetWare UNC Folder Menu"
\InProcServer32\(Default) = "nwprovau.dll" [MS]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {HKLM...CLSID} = "IEContextMenu Class"
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Default executables:
--------------------

HKLM\Software\Classes\.exe\(Default) = "WindowFiles"
<<!>> HKLM\Software\Classes\WindowFiles\shell\open\command\(Default) = "C:\WINDOWS\EXERT.exe "%1" %*" [file not found]


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"disableregistrytools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Prevent access to registry editing tools}

"disabletaskmgr" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|Ctrl+Alt+Del Options|
Remove Task Manager}

HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel\

"ResetWebSettings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Disable the Reset Web Settings feature}

"Settings" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|
Prevent the deletion of temporary Internet files and cookies}

"CertifPers" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"CertifSite" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"CertifPub" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Profiles" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"FormSuggest" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"Ratings" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"GeneralTab" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the General page}

"SecurityTab" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Security page}

"ConnectionsTab" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Connections page}

"ProgramsTab" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

"PrivacyTab" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Privacy page}

"AdvancedTab" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Internet Control Panel|
Disable the Advanced page}

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions\

"NoBrowserOptions" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|Windows Components|Internet Explorer|Browser Menus|
Tools menu: Disable Internet Options... menu option}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Startup items in "-" & "All Users" startup folders:
---------------------------------------------------

C:\Documents and Settings\-\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Program Files\Palm\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"HP Image Zone Fast Start" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe -s" [null data]
"Logitech Harmony Remote" -> shortcut to: "C:\Program Files\Logitech\Harmony Remote\harmonyClient.exe" [null data]
"Picture Package Menu" -> shortcut to: "C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe" ["Sony Corporation"]
"Picture Package VCD Maker" -> shortcut to: "C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe -h" ["Sony Corporation."]
"setup_pcc" -> shortcut to: "D:\Setup\setup.exe" [file not found]
"Wireless-G Notebook Adapter Utility" -> shortcut to: "C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe" [empty string]
"WNSO" -> shortcut to: "C:\Program Files\Common Files\RGGZS\WNSO.exe" ["*****" (unwritable string)]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 24
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {HKLM...CLSID} = "Norton AntiVirus"
\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{64634180-B0EA-48B6-82B7-9620D33362C1}" = (no title provided)
-> {HKLM...CLSID} = "Cox Popup Blocker"
\InProcServer32\(Default) = "C:\Program Files\Cox\Applications\app\AuthBHO.dll" ["Authentium, Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{197A85BC-BD97-4404-A702-95E556E4DAEB}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Kwso"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\RGGZS\SoBar.dll" ["*****" (unwritable string)]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


HOSTS file
----------

C:\WINDOWS\System32\drivers\etc\HOSTS

maps: 2 domain names to IP addresses,
2 of the IP addresses are *not* localhost!


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
Client Service for NetWare, NWCWorkstation, "C:\WINDOWS\System32\svchost.exe -k netsvcs" {"C:\WINDOWS\System32\nwwks.dll" [MS]}
Curtains for Windows System Service, CurtainsSysSvc, "c:\program files\cox\applications\app\CurtainsSysSvcNt.exe" ["Authentium, Inc."]
DvpApi, dvpapi, "C:\Program Files\Common Files\Command Software\dvpapi.exe" ["Command Software Systems, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
NICSer_WPC54G, NICSer_WPC54G, "C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe" [empty string]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Pml Driver HPZ12, Pml Driver HPZ12, "C:\WINDOWS\System32\HPZipm12.exe" ["HP"]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP Standard TCP/IP Port\Driver = "hptcpmon.dll" ["Hewlett Packard"]
hpzlnt12\Driver = "hpzlnt12.dll" ["HP"]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 822 seconds, including 20 seconds for message boxes)

BC AdBot (Login to Remove)

 


#2 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:00 AM

Posted 17 March 2007 - 01:09 PM

Hello bullparade,

Sorry for the delay, this forum is very busy right now.

You have quite a collection of trojans on this computer. Is it the same one that RichieUK helped you with in February? ( topic url http://www.bleepingcomputer.com/forums/t/81190/hjt-analysis/ )

Another question: I see signs of two antivirus programs in this log -- Norton/Symantec and AVG. Are you currently running both these programs, or are the entries from one of them "leftovers" from a previous installation?

You should only have one antivirus installed and running on your computer. Two does not make you safer; in fact, they interfere with each other and are likely to cause system crashes and other problems. So, please let me know what is going on with these, and if you do have two antivirus scanners running, please uninstall one of them.

Several of your infections are downloaders; therefore, it's possible that there may be more malware on your computer now than there was when you posted this Silent Runners log. :thumbsup:

Because of this possibility, if you still need help, please run a fresh SilentRunners scan and post the log to a reply here.

Also, if possible, I would like you to download and use another scanning tool in addition to SilentRunners. This is Winpfind3u by OldTimer.

Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.

If you cannot get WinPFind to install or if it will not run, we can carry on with SilentRunners alone. However, I would like to see both logs if possible. You will need one post for the new SilentRunners log and at least one other for WinPFind -- as noted above, that log alone may require more than one post.

Since I am not used to working with these scanners, it may take me extra time to analyze the logs and get back to you with a fix. However, if you can get a WinPFind log, that tool is designed to make it easy for you to implement the repair that I create -- that's why I want you to try to run it.

Good luck,

Dave

#3 DaveM59

DaveM59

    Bleepin' Grandpa


  • Members
  • 1,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:TN USA
  • Local time:07:00 AM

Posted 29 March 2007 - 08:58 AM

Due to lack of feedback, this topic is now closed. If you want it re-opened, please PM me and put the url in your request.

This applies to the original poster only. Everyone else please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users