Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Anti-spyware Found Trojan.nilage.ara


  • This topic is locked This topic is locked
6 replies to this topic

#1 DreamRyder

DreamRyder

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 16 April 2007 - 10:34 PM

Hi,

As I usually do, I run a Routine Maintenance Scan with ALL my AV & AS scanners. Today AVG Anti-Spyware found Trojan.Nilage.ARA. It seems to have affected about 8 locations. From what I recorded it seems that they were Memory Locations.

Here is a snapshot of the results:

AVG Anti-Spyware SnapShot Link

As I have done before, I followed the suggestions presented by AVG Anti-Spyware (as noted in the SnapShot above). Unfortunately, upon reboot a rescan turned up the trojan again. I tried using delete, etc... but to no avail. I suspect there must be something somewhere regenerating this beast!

I can't get rid of it--yet :flowers:

I have followed the preliminaries outlined in the Preparation Guide. :thumbsup:

Can you please help me?

Thanks,,,,Bobby :huh:

HERE IS A COPY OF MY HIJACK THIS LOG:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:43 PM, on 4/17/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
L:\WINDOWS\System32\smss.exe
L:\WINDOWS\system32\csrss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\system32\spoolsv.exe
L:\WINDOWS\Explorer.EXE
L:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
L:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
L:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
l:\Program Files\AVG Anti-Spyware 7.5\guard.exe
L:\PROGRA~1\AVGFRE~1\avgamsvr.exe
F:\Program Files\TrueImageHome\TimounterMonitor.exe
L:\PROGRA~1\AVGFRE~1\avgupsvc.exe
L:\PROGRA~1\AVGFRE~1\avgemc.exe
E:\PROGRAM FILES\ClipAid\ClipAid.EXE
L:\WINDOWS\System32\ffpsrv.exe
O:\Program Files\CloneCD v5261\CloneCDTray.exe
L:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
L:\WINDOWS\System32\nvsvc32.exe
L:\Program Files\Agnitum\Outpost Firewall\outpost.exe
F:\Program Files\Hmonitor\hmonitor.exe
F:\Program Files\TrueImageHome\TrueImageMonitor.exe
L:\WINDOWS\System32\ctfmon.exe
e:\Program Files\Spyware Doctor\sdhelp.exe
o:\Program Files\Alcohol 120\StarWind\StarWindService.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\System32\WFXSVC.EXE
e:\Program Files\PerfectDisk\PDSched.exe
E:\PROGRAM FILES\WinFax\WFXMOD32.EXE
E:\PROGRAM FILES\SpywareGuard\sgmain.exe
E:\PROGRAM FILES\SpywareGuard\sgbhp.exe
L:\Program Files\Startup Monitor\StartupMonitor.exe
L:\Program Files\AVG Free\avgcc.exe
F:\Program Files\LClock\lclock.exe
F:\Program Files\WordWeb\wweb32.exe
L:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
F:\Program Files\Bandwidth Monitor Pro V1.30\Bandwidth Monitor Pro.exe
H:\Program Files\Ahead\InCD\InCD.exe
E:\PROGRAM FILES\Hotkey Master\Hotkey Master.exe
E:\PROGRAM FILES\TweakMASTER\TMTray.exe
L:\WINDOWS\AGRSMMSG.exe
L:\WINDOWS\System32\wfxsnt40.exe
L:\Program Files\YPOPs\YPOPS.EXE
F:\Program Files\MAXTHON BROWSER\Maxthon.exe
E:\PROGRAM FILES\AnalogX\Capture\capture.exe
L:\WINDOWS\explorer.exe
E:\PROGRAM FILES\Spyware Doctor\swdoctor.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = L:\Program Files\Copernic 2000 Pro\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = L:\Program Files\Copernic 2000 Pro\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\CopernicFind.dll
O1 - Hosts: 203.147.133.62 forums.whirlpool.net.au
O1 - Hosts: 208.109.95.5 www.maxthon.com
O1 - Hosts: 65.54.183.202 login.live.com
O1 - Hosts: 83.172.139.184 www.mickeytheman.com
O1 - Hosts: 210.224.192.65 www.rimarts.co.jp
O1 - Hosts: 64.71.175.192 www.ixquick.com
O1 - Hosts: 207.97.211.30 vivisimo.com
O1 - Hosts: 210.8.18.32 www.webwombat.com.au
O1 - Hosts: 203.36.31.67 www.tradingpost.com.au
O1 - Hosts: 64.81.60.124 www.ozsearch.com.au
O1 - Hosts: 64.79.50.166 www.lyndaroxanne.com
O1 - Hosts: 80.237.244.15 7603.rapidforum.com
O1 - Hosts: 66.135.204.41 members.ebay.co.uk
O1 - Hosts: 68.178.232.99 www.cr-web.com
O1 - Hosts: 70.84.49.10 www.audehost.com
O1 - Hosts: 204.13.160.129 www.imagehosting.us
O1 - Hosts: 139.134.5.124 users.bigpond.net.au
O1 - Hosts: 199.231.128.134 www.internetfrog.com
O1 - Hosts: 67.18.179.85 testmy.net
O1 - Hosts: 67.18.179.85 www.testmy.net
O1 - Hosts: 203.221.25.2 members.bordernet.com.au
O1 - Hosts: 202.60.85.100 www.ozspeedtest.com
O1 - Hosts: 203.56.45.77 www.bctest.com.au
O1 - Hosts: 202.154.92.59 www.peopletelecom.com.au
O1 - Hosts: 202.3.110.37 speedtest.dslnet.com.au
O1 - Hosts: 69.17.117.207 www.speedtest.net
O1 - Hosts: 66.246.172.95 www.hashemian.com
O1 - Hosts: 203.221.25.2 www.voise.com.au
O1 - Hosts: 203.221.25.2 www.bordernet.com.au
O1 - Hosts: 203.123.87.145 secure.bordernet.com.au
O1 - Hosts: 203.221.25.2 forums.bordernet.com.au
O1 - Hosts: 203.147.133.62 www.whirlpool.net.au
O1 - Hosts: 61.69.127.181 www.activ8me.net.au
O1 - Hosts: 198.142.23.81 search.nasa.gov
O1 - Hosts: 216.92.13.100 www.brainsbreaker.com
O1 - Hosts: 38.114.169.197 www.whatismyip.com
O1 - Hosts: 67.15.104.20 www.ipheaven.com
O1 - Hosts: 70.47.133.201 www.proxy-servers.org
O1 - Hosts: 81.222.134.86 www.forum.freeproxy.ru
O1 - Hosts: 216.92.207.177 www.all-nettools.com
O1 - Hosts: 64.246.28.194 www.2privacy.com
O1 - Hosts: 213.250.2.87 www.proxysecurity.com
O1 - Hosts: 62.205.173.163 www.aliveproxy.com
O1 - Hosts: 62.205.173.164 atomintersoft.com
O1 - Hosts: 68.178.210.149 ntcanuck.com
O1 - Hosts: 216.92.198.116 www.cmyip.com
O1 - Hosts: 193.86.103.10 forum.grisoft.cz
O1 - Hosts: 72.232.91.158 www.gossiprocks.com
O1 - Hosts: 216.40.32.30 www.tucows.com
O1 - Hosts: 209.208.12.70 www.ussupport.com
O1 - Hosts: 56.0.66.23 www.usps.gov
O1 - Hosts: 69.31.91.10 astalavista.box.sk
O1 - Hosts: 203.47.147.50 www.tab.com.au
O1 - Hosts: 144.135.18.32 www.bigpond.com
O1 - Hosts: 208.109.95.5 forum.maxthon.com
O1 - Hosts: 207.241.233.253 web.archive.org
O1 - Hosts: 85.17.43.92 www.astalavista.us
O1 - Hosts: 211.100.24.167 res.maxthon.com
O1 - Hosts: 63.215.73.41 hoylegames.sierra.com
O1 - Hosts: 203.22.8.202 www.austar.com.au
O1 - Hosts: 203.22.8.225 myaccount.austar.com.au
O1 - Hosts: 212.78.206.150 www.serials2004.nl
O1 - Hosts: 38.118.213.4 www.gnutellaforums.com
O1 - Hosts: 71.216.156.178 www.s2kboard.org
O1 - Hosts: 81.169.181.163 www.tedd3000.com
O1 - Hosts: 85.12.27.135 www.serialz.to
O1 - Hosts: 69.36.180.131 project2025.com
O1 - Hosts: 194.109.147.174 www.cservice.undernet.org
O1 - Hosts: 70.87.46.68 www.tamco.com.au
O1 - Hosts: 72.232.217.178 javimoya.com
O1 - Hosts: 208.97.169.185 videodownloader.net
O1 - Hosts: 208.65.153.253 www.youtube.com
O1 - Hosts: 62.149.162.54 www.viloader.net
O1 - Hosts: 62.149.162.54 convert.viloader.net
O1 - Hosts: 72.52.167.58 keepvid.com
O1 - Hosts: 64.13.192.145 s1947.gridserver.com
O1 - Hosts: 208.201.239.36 oreilly.com
O1 - Hosts: 66.29.37.251 www.allanonymity.com
O1 - Hosts: 66.29.37.251 www.allanonymity.com.
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\PROGRAM FILES\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\PROGRAM FILES\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - L:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - E:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - L:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "L:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "L:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\Program Files\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [ClipAid] "E:\PROGRAM FILES\ClipAid\ClipAid.EXE"
O4 - HKLM\..\Run: [CloneCDTray] "O:\Program Files\CloneCD v5261\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [hmonitor] F:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [LogonStudio] "e:\Program Files\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Outpost Firewall] L:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [StartupDelayer] "F:\Program Files\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\Program Files\TrueImageHome\TrueImageMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - f:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://f:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://L:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Add Feed to NewsCast - F:\Program Files\MAXTHON BROWSER\Plugin\NewsCast\AddFeed.html
O8 - Extra context menu item: Add to &LinkFox - res://E:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Check &Spelling - res://f:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight Pro - E:\PROGRAM FILES\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://L:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://f:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://f:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\PROGRAM FILES\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic - file://L:\Program Files\Copernic 2000 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - L:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://L:\Program Files\Copernic 2000 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://L:\Program Files\Copernic 2000 Pro\Translate.htm
O10 - Unknown file in Winsock LSP: l:\windows\system32\ou7viewer.dll
O10 - Unknown file in Winsock LSP: l:\windows\system32\ou7viewer.dll
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{897850F6-9A65-43CD-BF2F-5729248646AD}: NameServer = 210.80.58.34,210.80.58.42,150.203.1.10,150.203.22.28,203.2.75.2,203.2.75.12
O20 - AppInit_DLLs: J:\PROGRA~1\Agnitum\OUTPOS~1.591\wl_hook.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - L:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - L:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - l:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgemc.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - L:\WINDOWS\System32\ffpsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - L:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - L:\WINDOWS\vcd1.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - L:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - L:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PDEngine - Raxco Software, Inc. - e:\Program Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - e:\Program Files\PerfectDisk\PDSched.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - o:\Program Files\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - L:\WINDOWS\System32\WFXSVC.EXE



Thanks again,,,Bobby
Microsoft Windows XP Professional
5.1.2600 Build 2600
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
NVIDIA
AMD Athlon XP 2400 Mhz
Pheonix Tech. BIOS LTD 6.00PG 2003
512mb RAM


Posted Image..Posted Image

BC AdBot (Login to Remove)

 


#2 DreamRyder

DreamRyder
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 21 April 2007 - 05:32 PM

Just one more note. I tried removing this trojan in SAFE MODE using AVG Anti-Spyware. It still doesn't remove it & it still shows up in at least 6 memory locations. Even delete on reboot fails to do the trick. Just thought this might help in your diagnosis.

Hoping to hear from you soon,,,,Bobby ;)
Microsoft Windows XP Professional
5.1.2600 Build 2600
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
NVIDIA
AMD Athlon XP 2400 Mhz
Pheonix Tech. BIOS LTD 6.00PG 2003
512mb RAM


Posted Image..Posted Image

#3 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:39 AM

Posted 23 April 2007 - 02:33 PM

Hello Bobby,

I am SifuMike and I will helping you. :thumbsup:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u1".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6-windows-i586.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.

    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586-p.exe to install the newest version.
*******************

I tried removing this trojan in SAFE MODE using AVG Anti-Spyware. It still doesn't remove it & it still shows up in at least 6 memory locations


According to your image file, the main infection Trojan.Nilage.ARA is quarentined, so dont worry about it.

These 8 traces of VM_'s shows that the infections have been found in the virtual memory section of running processes.

Try this:
Update the AVG AntiSpyware software with the updater module, then restart
Windows in the Safe Mode.

How to Reboot into Safe Mode
tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key. If that does not work this go to this site: http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/




In Safe Mode run AVG antispyware scan again with the 'Fast-System-Scan' Mode.

Post the AVG antispyware log.

*******************

Also, scan your computer with an Anti-Rootkit Scanner:
http://free.grisoft.com/doc/avg-anti-rootk...e/lng/us/tpl/v5
and post the log.

*******************


Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:
l:\windows\system32\ou7viewer.dll
Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results in your next reply.

*******************

Did you add all of these to your Hosts file?

O1 - Hosts: 203.147.133.62 forums.whirlpool.net.au
O1 - Hosts: 208.109.95.5 www.maxthon.com
O1 - Hosts: 65.54.183.202 login.live.com
O1 - Hosts: 83.172.139.184 www.mickeytheman.com
O1 - Hosts: 210.224.192.65 www.rimarts.co.jp
O1 - Hosts: 64.71.175.192 www.ixquick.com
O1 - Hosts: 207.97.211.30 vivisimo.com
O1 - Hosts: 210.8.18.32 www.webwombat.com.au
O1 - Hosts: 203.36.31.67 www.tradingpost.com.au
O1 - Hosts: 64.81.60.124 www.ozsearch.com.au
O1 - Hosts: 64.79.50.166 www.lyndaroxanne.com
O1 - Hosts: 80.237.244.15 7603.rapidforum.com
O1 - Hosts: 66.135.204.41 members.ebay.co.uk
O1 - Hosts: 68.178.232.99 www.cr-web.com
O1 - Hosts: 70.84.49.10 www.audehost.com
O1 - Hosts: 204.13.160.129 www.imagehosting.us
O1 - Hosts: 139.134.5.124 users.bigpond.net.au
O1 - Hosts: 199.231.128.134 www.internetfrog.com
O1 - Hosts: 67.18.179.85 testmy.net
O1 - Hosts: 67.18.179.85 www.testmy.net
O1 - Hosts: 203.221.25.2 members.bordernet.com.au
O1 - Hosts: 202.60.85.100 www.ozspeedtest.com
O1 - Hosts: 203.56.45.77 www.bctest.com.au
O1 - Hosts: 202.154.92.59 www.peopletelecom.com.au
O1 - Hosts: 202.3.110.37 speedtest.dslnet.com.au
O1 - Hosts: 69.17.117.207 www.speedtest.net
O1 - Hosts: 66.246.172.95 www.hashemian.com
O1 - Hosts: 203.221.25.2 www.voise.com.au
O1 - Hosts: 203.221.25.2 www.bordernet.com.au
O1 - Hosts: 203.123.87.145 secure.bordernet.com.au
O1 - Hosts: 203.221.25.2 forums.bordernet.com.au
O1 - Hosts: 203.147.133.62 www.whirlpool.net.au
O1 - Hosts: 61.69.127.181 www.activ8me.net.au
O1 - Hosts: 198.142.23.81 search.nasa.gov
O1 - Hosts: 216.92.13.100 www.brainsbreaker.com
O1 - Hosts: 38.114.169.197 www.whatismyip.com
O1 - Hosts: 67.15.104.20 www.ipheaven.com
O1 - Hosts: 70.47.133.201 www.proxy-servers.org
O1 - Hosts: 81.222.134.86 www.forum.freeproxy.ru
O1 - Hosts: 216.92.207.177 www.all-nettools.com
O1 - Hosts: 64.246.28.194 www.2privacy.com
O1 - Hosts: 213.250.2.87 www.proxysecurity.com
O1 - Hosts: 62.205.173.163 www.aliveproxy.com
O1 - Hosts: 62.205.173.164 atomintersoft.com
O1 - Hosts: 68.178.210.149 ntcanuck.com
O1 - Hosts: 216.92.198.116 www.cmyip.com
O1 - Hosts: 193.86.103.10 forum.grisoft.cz
O1 - Hosts: 72.232.91.158 www.gossiprocks.com
O1 - Hosts: 216.40.32.30 www.tucows.com
O1 - Hosts: 209.208.12.70 www.ussupport.com
O1 - Hosts: 56.0.66.23 www.usps.gov
O1 - Hosts: 69.31.91.10 astalavista.box.sk
O1 - Hosts: 203.47.147.50 www.tab.com.au
O1 - Hosts: 144.135.18.32 www.bigpond.com
O1 - Hosts: 208.109.95.5 forum.maxthon.com
O1 - Hosts: 207.241.233.253 web.archive.org
O1 - Hosts: 85.17.43.92 www.astalavista.us
O1 - Hosts: 211.100.24.167 res.maxthon.com
O1 - Hosts: 63.215.73.41 hoylegames.sierra.com
O1 - Hosts: 203.22.8.202 www.austar.com.au
O1 - Hosts: 203.22.8.225 myaccount.austar.com.au
O1 - Hosts: 212.78.206.150 www.serials2004.nl
O1 - Hosts: 38.118.213.4 www.gnutellaforums.com
O1 - Hosts: 71.216.156.178 www.s2kboard.org
O1 - Hosts: 81.169.181.163 www.tedd3000.com
O1 - Hosts: 85.12.27.135 www.serialz.to
O1 - Hosts: 69.36.180.131 project2025.com
O1 - Hosts: 194.109.147.174 www.cservice.undernet.org
O1 - Hosts: 70.87.46.68 www.tamco.com.au
O1 - Hosts: 72.232.217.178 javimoya.com
O1 - Hosts: 208.97.169.185 videodownloader.net
O1 - Hosts: 208.65.153.253 www.youtube.com
O1 - Hosts: 62.149.162.54 www.viloader.net
O1 - Hosts: 62.149.162.54 convert.viloader.net
O1 - Hosts: 72.52.167.58 keepvid.com
O1 - Hosts: 64.13.192.145 s1947.gridserver.com
O1 - Hosts: 208.201.239.36 oreilly.com
O1 - Hosts: 66.29.37.251 www.allanonymity.com
O1 - Hosts: 66.29.37.251 www.allanonymity.com.


Lastly, Post a fresh Hijackthis log.

Edited by SifuMike, 23 April 2007 - 02:49 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 DreamRyder

DreamRyder
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 24 April 2007 - 12:21 AM

HiYa SifuMike,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.


+ Updated to Latest version as instructed.

According to your image file, the main infection Trojan.Nilage.ARA is quarentined, so dont worry about it.

These 8 traces of VM_'s shows that the infections have been found in the virtual memory section of running processes.


Well, I dont know why or how, but its gone! All I did was the VirusTotal Scan with these results:

VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


		  Select file :			 DistributeSSL 

		  Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector. 
Estadisticas Statistics of VirusTotal procesing. 
Virustotal More info about Virustotal. 
 

STATUS: FINISHEDComplete scanning result of "ou7viewer.dll", received in VirusTotal at 04.24.2007, 04:52:49 (CET).

Antivirus Version Update Result 
AhnLab-V3 2007.4.24.0 04.23.2007  no virus found 
AntiVir 7.4.0.14 04.23.2007 TR/Crypt.NSPM.Gen 
Authentium 4.93.8 04.23.2007 Possibly a new variant of W32/PWStealer1!Generic 
Avast 4.7.981.0 04.23.2007 Win32:Agent-EWQ 
AVG 7.5.0.464 04.23.2007  no virus found 
BitDefender 7.2 04.24.2007 Trojan.PWS.Onlinegames.EF 
CAT-QuickHeal 9.00 04.23.2007  no virus found 
ClamAV devel-20070416 04.24.2007  no virus found 
DrWeb 4.33 04.23.2007 Trojan.PWS.Maran 
eSafe 7.0.15.0 04.23.2007  no virus found 
eTrust-Vet 30.7.3589 04.23.2007 Win32/Charaho.T 
Ewido 4.0 04.23.2007  no virus found 
FileAdvisor 1 04.24.2007  no virus found 
Fortinet 2.85.0.0 04.24.2007 W32/QQPass.YL!tr.pws 
F-Prot 4.3.2.48 04.23.2007 W32/PWStealer1!Generic 
F-Secure 6.70.13030.0 04.24.2007  no virus found 
Ikarus T3.1.1.5 04.23.2007 Worm.Win32.Viking.ex 
Kaspersky 4.0.2.24 04.24.2007  no virus found 
McAfee 5015 04.23.2007  no virus found 
Microsoft 1.2405 04.24.2007  no virus found 
NOD32v2 2213 04.23.2007 Win32/Pacex.Gen 
Norman 5.80.02 04.23.2007  no virus found 
Panda 9.0.0.4 04.23.2007 Trj/QQPass.YL 
Prevx1 V2 04.24.2007  no virus found 
Sophos 4.16.0 04.23.2007 Mal/EncPk-F 
Sunbelt 2.2.907.0 04.19.2007  no virus found 
Symantec 10 04.24.2007  no virus found 
TheHacker 6.1.6.088 04.09.2007  no virus found 
VBA32 3.11.4 04.23.2007 MalwareScope.Worm.Viking.3 
VirusBuster 4.3.7:9 04.23.2007  no virus found 
Webwasher-Gateway 6.0.1 04.24.2007 Trojan.Crypt.NSPM.Gen 


Aditional Information 
File size: 59904 bytes 
MD5: 9a003892d68e910cfbde8ee2bff3c755 
SHA1: 1197097d4a3cc5b81bbec9d7daf131b390bf30bb 
packers: UPX 

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware. 
> Go to: Home Contactar En Español 
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com


Then I did an Update of my AVG Anti-Spyware as instructed (did one yesterday, but better safe than sorry) & then restarted in SAFEMODE as instructed & ran AVG A-S.

The Trojan.Nilage.ara was no where to be found, but it did pickup Trojan.Maron in the file I scanned with VirusTotal online at your request--- l:\windows\system32\ou7viewer.dll. I proceded to follow the AVG A-S suggested action & it put this file in Quarantine.

Here is the AVG A-S Log as you requested:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

 + Created at:	2:01:36 PM 4/24/2007

 + Scan result:	



[1016] L:\WINDOWS\System32\ou7viewer.dll -> Trojan.Maran : Cleaned with backup (quarantined).


::Report end

I already had AVG's Rootkit Free tool. I checked to see if it was the latest version--it was---and a scan came up with zero findings--totaly clean.


As far as I know all the places in the HOSTS File were legit. I use Tweak Master Agent & it does its DNS thing by updating the HOSTS File every time I visit a site using MSIE. So, all the entries there were put there via Twak Master Agent. Just as a precaution though, I deleted the entire contents of the HOSTS File via Tweak Master's own options. I did this before I ran Hijackthis again.

Here are my HijackThis Logs ( the first one was done in SAFEMODE & the second in NORMAL MODE--after a normal bootup ):

Logfile of HijackThis v1.99.1
Scan saved at 2:17:00 PM, on 4/24/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
L:\WINDOWS\System32\smss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\System32\ffpsrv.exe
L:\WINDOWS\Explorer.EXE
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = L:\Program Files\Copernic 2000 Pro\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = L:\Program Files\Copernic 2000 Pro\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\CopernicFind.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\PROGRAM FILES\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\PROGRAM FILES\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - L:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - E:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - L:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "L:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "L:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\Program Files\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [ClipAid] "E:\PROGRAM FILES\ClipAid\ClipAid.EXE"
O4 - HKLM\..\Run: [CloneCDTray] "O:\Program Files\CloneCD v5261\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [hmonitor] F:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [LogonStudio] "e:\Program Files\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Outpost Firewall] L:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [StartupDelayer] "F:\Program Files\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\Program Files\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TweakMASTER] "E:\PROGRAM FILES\TweakMASTER\TMTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - f:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://f:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://L:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Add Feed to NewsCast - F:\Program Files\MAXTHON BROWSER\Plugin\NewsCast\AddFeed.html
O8 - Extra context menu item: Add to &LinkFox - res://E:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Check &Spelling - res://f:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight Pro - E:\PROGRAM FILES\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://L:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://f:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://f:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\PROGRAM FILES\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic - file://L:\Program Files\Copernic 2000 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - L:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://L:\Program Files\Copernic 2000 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://L:\Program Files\Copernic 2000 Pro\Translate.htm
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{897850F6-9A65-43CD-BF2F-5729248646AD}: NameServer = 210.80.58.34,210.80.58.42,150.203.1.10,150.203.22.28,203.2.75.2,203.2.75.12
O20 - AppInit_DLLs: J:\PROGRA~1\Agnitum\OUTPOS~1.591\wl_hook.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - L:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - L:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - l:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgemc.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - L:\WINDOWS\System32\ffpsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - L:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - L:\WINDOWS\vcd1.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - L:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - L:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PDEngine - Raxco Software, Inc. - e:\Program Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - e:\Program Files\PerfectDisk\PDSched.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - o:\Program Files\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - L:\WINDOWS\System32\WFXSVC.EXE

AFTER REBOOT TO NORMAL:

Logfile of HijackThis v1.99.1
Scan saved at 2:33:31 PM, on 4/24/2007
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
L:\WINDOWS\System32\smss.exe
L:\WINDOWS\system32\csrss.exe
L:\WINDOWS\system32\winlogon.exe
L:\WINDOWS\system32\services.exe
L:\WINDOWS\system32\lsass.exe
L:\WINDOWS\system32\svchost.exe
L:\WINDOWS\System32\svchost.exe
H:\Program Files\Ahead\InCD\InCDsrv.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\system32\spoolsv.exe
L:\WINDOWS\Explorer.EXE
L:\Program Files\AVG Anti-Spyware 7.5\avgas.exe
L:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
F:\Program Files\TrueImageHome\TimounterMonitor.exe
E:\PROGRAM FILES\ClipAid\ClipAid.EXE
L:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O:\Program Files\CloneCD v5261\CloneCDTray.exe
l:\Program Files\AVG Anti-Spyware 7.5\guard.exe
L:\PROGRA~1\AVGFRE~1\avgamsvr.exe
F:\Program Files\Hmonitor\hmonitor.exe
L:\PROGRA~1\AVGFRE~1\avgupsvc.exe
L:\PROGRA~1\AVGFRE~1\avgemc.exe
L:\WINDOWS\System32\ffpsrv.exe
L:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
L:\WINDOWS\System32\nvsvc32.exe
F:\Program Files\TrueImageHome\TrueImageMonitor.exe
L:\Program Files\Agnitum\Outpost Firewall\outpost.exe
L:\WINDOWS\System32\ctfmon.exe
e:\Program Files\Spyware Doctor\sdhelp.exe
o:\Program Files\Alcohol 120\StarWind\StarWindService.exe
L:\WINDOWS\System32\svchost.exe
L:\WINDOWS\System32\WFXSVC.EXE
e:\Program Files\PerfectDisk\PDSched.exe
E:\PROGRAM FILES\WinFax\WFXMOD32.EXE
E:\PROGRAM FILES\SpywareGuard\sgmain.exe
L:\Program Files\Startup Monitor\StartupMonitor.exe
L:\Program Files\AVG Free\avgcc.exe
F:\Program Files\LClock\lclock.exe
E:\PROGRAM FILES\SpywareGuard\sgbhp.exe
F:\Program Files\WordWeb\wweb32.exe
F:\Program Files\Bandwidth Monitor Pro V1.30\Bandwidth Monitor Pro.exe
H:\Program Files\Ahead\InCD\InCD.exe
E:\PROGRAM FILES\Hotkey Master\Hotkey Master.exe
E:\PROGRAM FILES\TweakMASTER\TMTray.exe
L:\WINDOWS\AGRSMMSG.exe
L:\WINDOWS\System32\wfxsnt40.exe
L:\WINDOWS\explorer.exe
F:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = L:\Program Files\Copernic 2000 Pro\Search Bar.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = L:\Program Files\Copernic 2000 Pro\Search Bar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {C12B4EC1-1F65-11D3-91CA-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\CopernicFind.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\PROGRAM FILES\GetRight\xx2gr.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - E:\PROGRAM FILES\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - E:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - L:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: TweakMASTER PRO Component - {7DAAC7DE-9EF0-4FF0-BFA5-AFF3E899054C} - E:\PROGRA~1\TWEAKM~1\TweakBHO.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - E:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - L:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 6.0 PROFESSIONAL\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "L:\Program Files\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "L:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] F:\Program Files\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [ClipAid] "E:\PROGRAM FILES\ClipAid\ClipAid.EXE"
O4 - HKLM\..\Run: [CloneCDTray] "O:\Program Files\CloneCD v5261\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [hmonitor] F:\Program Files\Hmonitor\hmonitor.exe
O4 - HKLM\..\Run: [LogonStudio] "e:\Program Files\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [Outpost Firewall] L:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [StartupDelayer] "F:\Program Files\Startup Delayer\Startup Launcher GUI.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] F:\Program Files\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [TweakMASTER] "E:\PROGRAM FILES\TweakMASTER\TMTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] L:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - f:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - F:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &ieSpell Options - res://f:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: &WordWeb... - res://L:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: Add Feed to NewsCast - F:\Program Files\MAXTHON BROWSER\Plugin\NewsCast\AddFeed.html
O8 - Extra context menu item: Add to &LinkFox - res://E:\PROGRA~1\TWEAKM~1\TweakBHO.dll/IESCRIPT
O8 - Extra context menu item: Check &Spelling - res://f:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download &all with DAP - F:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Download with GetRight Pro - E:\PROGRAM FILES\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://L:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://f:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://f:\Program Files\ieSpell\wikipedia.HTM
O8 - Extra context menu item: Open with GetRight Pro Browser - E:\PROGRAM FILES\GetRight\GRbrowse.htm
O8 - Extra context menu item: Search Using Copernic - file://L:\Program Files\Copernic 2000 Pro\Search Extension.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - L:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - f:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {2A465934-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra 'Tools' menuitem: Launch Copernic - {2A465934-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra button: Copernic - {2A465936-E5F0-11D2-91B5-00104B9C4765} - L:\Program Files\Copernic 2000 Pro\Copernic.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - L:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - L:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Translate - {99EFB53C-C965-43CF-9F45-52242D134187} - file://L:\Program Files\Copernic 2000 Pro\Translate.htm
O9 - Extra 'Tools' menuitem: &Translate Using Gist-In-Time - {99EFB53C-C965-43CF-9F45-52242D134187} - file://L:\Program Files\Copernic 2000 Pro\Translate.htm
O16 - DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} (MaxisSimCity4PatcherX Control) - http://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{897850F6-9A65-43CD-BF2F-5729248646AD}: NameServer = 210.80.58.34,210.80.58.42,150.203.1.10,150.203.22.28,203.2.75.2,203.2.75.12
O20 - AppInit_DLLs: J:\PROGRA~1\Agnitum\OUTPOS~1.591\wl_hook.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - L:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - L:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - l:\Program Files\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - L:\PROGRA~1\AVGFRE~1\avgemc.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - L:\WINDOWS\System32\ffpsrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - L:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - H:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Card Adapter (NETDown) - Unknown owner - L:\WINDOWS\vcd1.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - L:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - L:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: PDEngine - Raxco Software, Inc. - e:\Program Files\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - e:\Program Files\PerfectDisk\PDSched.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - e:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - o:\Program Files\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - L:\WINDOWS\System32\WFXSVC.EXE


So, the final status is the the TROJAN.NILAGE.ARA is gone!! :flowers:

I see no Viruses (via AVG A-V) or any Spyware/Malware (via AVG A-S) :huh: :thumbsup:

My system "seems" totaly clean, but you tell me---Until I hear from you with your final analysis I won't know for sure!


Looking to hear from you soon!,,,,Thanks!,,,,Bobby :huh:
Microsoft Windows XP Professional
5.1.2600 Build 2600
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
NVIDIA
AMD Athlon XP 2400 Mhz
Pheonix Tech. BIOS LTD 6.00PG 2003
512mb RAM


Posted Image..Posted Image

#5 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:39 AM

Posted 24 April 2007 - 10:23 AM

Hi Bobby,

I am happy to say your log looks clean! :thumbsup:

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Please read and follow How did I get infected?, With steps so it does not happen again!
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 DreamRyder

DreamRyder
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:05:39 PM

Posted 24 April 2007 - 04:40 PM

Mike,

We must be on the same wavelink. About an hour before I read this I did just that, cleared all my past system restores & created a new restore point! Go Figure!!

Thanks for your help, I just really would like to know just how the Trojan.Nilage.ARA just disappeared like that???? Maybe you scared it off with your mojo!! ;)

Thanks again,,,Bobby ;)
Microsoft Windows XP Professional
5.1.2600 Build 2600
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
NVIDIA
AMD Athlon XP 2400 Mhz
Pheonix Tech. BIOS LTD 6.00PG 2003
512mb RAM


Posted Image..Posted Image

#7 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:39 AM

Posted 01 May 2007 - 12:11 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users