Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Norton Detects Trojan.adclicker, Comp Very Slow


  • This topic is locked This topic is locked
17 replies to this topic

#1 suno2koo

suno2koo

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 01 May 2007 - 09:55 AM

Norton started to pop up detecting Trojan.Adclicker. Now the computer is very very slow. Seems norton cant get rid of it. Adware and spybot also.
Please Help. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 10:45:22 AM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\Syswl2\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Documents and Settings\Tina\Desktop\HijackThis.exe
C:\Program Files\Thunder Network\Thunder\Program\Thunder5.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [t6l] rundll32.exe C:\WINDOWS\0woy631gi.dll _start@16
O4 - HKLM\..\Run: [winform] C:\WINDOWS\01.exe
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\2.exe
O4 - HKLM\..\Run: [i9brcekdy] rundll32.exe C:\WINDOWS\mww.dll _start@16
O4 - HKLM\..\Run: [fkr] rundll32.exe C:\WINDOWS\vsl8ul.dll _start@16
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\3.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msupdate] C:\WINDOWS\AntiAdwa.exe other
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &妏蚚捃濘狟婥 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &妏蚚捃濘狟婥窒蟈諉 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ao?ŻN﹐AŚ - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: Ao?ŻN﹐AŚ - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E65627F1-4082-49C2-BEE5-CEAE3DE592D8}: NameServer = 67.7.11.2,66.80.130.23
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: sclgntfys - C:\WINDOWS\sclgntfys.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Windows User Mode Driver (UMWdfmgr) - Unknown owner - rundll32.exe (file missing)

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 01 May 2007 - 10:46 AM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
You have quite a heavily infected computer, it is likely that we will need to perform a few scans before you will be completely clean from malware, so please bear with me.

Download Combofix to your Desktop.
Go to Start | Run and type:
"%userprofile%\desktop\combofix.exe" /wow
Then hit OK
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Include the Combofix log along with a new HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 01 May 2007 - 12:01 PM

Thanks Charles. The computer seems faster after the combofix reboot. but the trojan.adclicker popup by norton is still there after reboot.

Combofix report:
"Tina" - 07-05-01 12:43:31 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Tina\Desktop\"
Command switches used :: "/wow"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Microsoft Shared\MSInfo\system.2dt
C:\Program Files\Internet Explorer\plugins\System64.sys
C:\WINDOWS\2.exe
C:\WINDOWS\3.exe
C:\WINDOWS\0woy631gi.dll
C:\WINDOWS\mww.dll
C:\WINDOWS\vsl8ul.dll
C:\WINDOWS\system32\mscache\msvsock.dll
C:\WINDOWS\system32\system\.setupq\avps.exe
C:\WINDOWS\system32\system\.setupq\novel.exe
C:\WINDOWS\system32\system\.setupq\up.dat
C:\WINDOWS\system32\system\.setupq\verx.dat
C:\WINDOWS\system32\system\sysbacks\avps.exe
C:\WINDOWS\system32\system\sysbacks\dllhosts.dll
C:\WINDOWS\system32\system\sysbacks\novel.exe
C:\WINDOWS\system32\system\sysbacks\up.dat
C:\WINDOWS\system32\system\sysbacks\verx.dat
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\mppds.dll
C:\WINDOWS\system32\winform.dll
C:\WINDOWS\system32\mscache
C:\Program Files\internet explorer\iexplore.win
C:\WINDOWS\system32\cmdbcs.dll
C:\WINDOWS\sclgntfys.dll
C:\WINDOWS\system32\system


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\UMWdfmgr
-------\LEGACY_UMWDFMGR


((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))


2007-04-30 14:47 <DIR> d-------- C:\Deckard
2007-04-30 10:12 252 --a------ C:\NTDETECT.EXE
2007-04-25 09:04 83,968 --a------ C:\temp\9999avps.exe
2007-04-25 09:03 <DIR> d-------- C:\temp
2007-04-24 17:20 <DIR> d-------- C:\WINDOWS\pss
2007-04-24 17:19 <DIR> d-------- C:\WINDOWS\system32\CBA
2007-04-24 17:19 <DIR> d-------- C:\Program Files\NavNT
2007-04-24 17:16 63 --a------ C:\WINDOWS\system\SYSRegC.dll
2007-04-24 17:16 143,360 --a------ C:\WINDOWS\system32\GetHardDiskNo.dll
2007-04-24 17:16 1,126,400 --a------ C:\WINDOWS\system32\VchReg.dll
2007-04-24 17:16 <DIR> d-------- C:\WINDOWS\MaxSecureBackup
2007-04-24 17:16 <DIR> d-------- C:\Program Files\Max Registry Cleaner
2007-04-24 16:57 3,158 --a------ C:\WINDOWS\downer11.exe
2007-04-24 16:56 3,150 --a------ C:\WINDOWS\downer10.exe
2007-04-24 16:56 3,149 --a------ C:\WINDOWS\downer9.exe
2007-04-24 16:55 83,456 --a------ C:\WINDOWS\8888-521ww.exe
2007-04-24 16:54 144 --a------ C:\WINDOWS\system32\sklini.dll
2007-04-24 16:52 <DIR> d--hs---- C:\WINDOWS\Syswl2
2007-04-16 11:58 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-16 11:58 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-04-16 11:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-26 12:35 956 --a------ C:\WINDOWS\system32\cid_store.dat
2007-04-25 09:03 -------- d-------- C:\Program Files\symantec
2007-03-21 11:42 -------- d-------- C:\Program Files\windows media connect 2


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{889D2FEB-5411-4565-8998-1DD2C5261283} C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll
{AE7CD045-E861-484f-8273-0445EE161910} C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"igfxtray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"igfxhkcmd"="C:\\WINDOWS\\system32\\hkcmd.exe"
"igfxpers"="C:\\WINDOWS\\system32\\igfxpers.exe"
"IntelAudioStudio"="\"C:\\Program Files\\Intel Audio Studio\\IntelAudioStudio.exe\" TRAY"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SigmatelSysTrayApp"="sttray.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"Thunder"="\"C:\\Program Files\\Thunder Network\\Thunder\\Thunder.exe\" /s"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{31F612A3-3223-3313-3123-31161A31A125}"="godpri.dll"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 12:47:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-05-01 12:47:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-05-01 12:47


New Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 12:48:03 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Thunder Network\Thunder\Thunder.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tina\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\XunLeiBHO_002.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" TRAY
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Thunder] "C:\Program Files\Thunder Network\Thunder\Thunder.exe" /s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = %SystemRoot%\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &妏蚚捃濘狟婥 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: &妏蚚捃濘狟婥窒蟈諉 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Ao?ŻN﹐AŚ - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: Ao?ŻN﹐AŚ - {0062C9BD-B349-40DE-91A0-755F37ACD559} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E65627F1-4082-49C2-BEE5-CEAE3DE592D8}: NameServer = 67.7.11.2,66.80.130.23
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 01 May 2007 - 01:36 PM

Hello again,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following files (if present):

C:\NTDETECT.EXE
C:\WINDOWS\downer11.exe
C:\WINDOWS\downer10.exe
C:\WINDOWS\downer9.exe
C:\WINDOWS\8888-521ww.exe
C:\WINDOWS\system32\sklini.dll

And the following folder:

C:\WINDOWS\Syswl2

Reboot into Normal Mode again.

We need to do a search for a file. Navigate to:
Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

godpri.dll

If you find any examples of this file, please note down its exact location, and let me know where it is in your next post. I'd also like a little bit more information about this file (if you know anything).
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 01 May 2007 - 02:21 PM

Next, please find and delete the following files (if present):

C:\NTDETECT.EXE
C:\WINDOWS\downer11.exe
C:\WINDOWS\downer10.exe
C:\WINDOWS\downer9.exe
C:\WINDOWS\8888-521ww.exe
C:\WINDOWS\system32\sklini.dll

And the following folder:

C:\WINDOWS\Syswl2

Reboot into Normal Mode again.


Hello Charles,

I've made a permanent folder for hijackthis and moved it there. Next i went into safe mode and removed the mentioned 6 files. Now i reboot and it keeps on rebooting. It shows select the OS and then next to Windows XP Professional it shows ntdetect failed. Computer keeps rebooting at the same area.

Thanks!

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 01 May 2007 - 02:47 PM

Are you sure you deleted the correct file? Did you get rid of NTDETECT.COM instead?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 01 May 2007 - 03:02 PM

Are you sure you deleted the correct file? Did you get rid of NTDETECT.COM instead?


I'm pretty sure i deleted the correct file. I did see this other ntdetect.com also when looking for ntdetect.exe. I'm not able to boot into safe mode or any other options right now.

Thanks,

Sunny

#8 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 01 May 2007 - 03:41 PM

Charles, my mistake. I must of deleted ntdetect.com. I just ran recovery through windows cd and copied the .com file to c:\. It boots up now. After rebooting, i searched for the file godpri.dll. Nothing came up. The computer is running with now lag now and no more norton trojan.adclicker popup messages. As for the godpri.dll, i dont know any info what that file is.

Thanks


Are you sure you deleted the correct file? Did you get rid of NTDETECT.COM instead?


I'm pretty sure i deleted the correct file. I did see this other ntdetect.com also when looking for ntdetect.exe. I'm not able to boot into safe mode or any other options right now.

Thanks,

Sunny



#9 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 01 May 2007 - 04:00 PM

No worries about that, I'm glad you got it sorted. :thumbsup:
I'd like one more log please:
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please download ATF Cleaner.
Don't run it yet.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Reboot into Normal Mode again.

Please run Panda's ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open, click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.
When download is complete, click on Local Disks to start the scan.
When the scan has finished - if anything malicious is found - click the See Report button.
Click Save Report and save the file to your Desktop, so you can post this log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#10 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 01 May 2007 - 05:05 PM

activescan report:


Incident Status Location

Virus:Trj/QQPass.AAI Disinfected C:\Deckard\System Scanner\backup\DOCUME~1\Tina\LOCALS~1\Temp\~I7PRUGI1VAC.CoM
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tina\Cookies\tina@doubleclick[1].txt
Virus:Trj/Lineage.ALO Not disinfected C:\Documents and Settings\Tina\My Documents\FCZ048-5.rar[krnln.fne]
Virus:Trj/Lineage.ALO Not disinfected C:\Documents and Settings\Tina\My Documents\FCZ048-5.rar[krnln.fnr]
Virus:Trj/QQPass.AAI Disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Microsoft Shared\MSInfo\system.2dt.vir
Virus:Trj/Wow.LO Disinfected C:\QooBox\Quarantine\C\WINDOWS\2.exe.vir
Virus:Trj/Lineage.DIM Disinfected C:\QooBox\Quarantine\C\WINDOWS\3.exe.vir
Adware:Adware/BaiduBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\sclgntfys.dll.vir
Virus:Trj/Wow.LO Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\mppds.dll.vir
Adware:Adware/BaiduBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\system\.setupq\avps.exe.vir
Adware:Adware/BaiduBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\system\.setupq\novel.exe.vir
Adware:Adware/BaiduBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\system\sysbacks\avps.exe.vir
Adware:Adware/BaiduBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\system\sysbacks\dllhosts.dll.vir
Adware:Adware/BaiduBar Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\system\sysbacks\novel.exe.vir
Virus:Trj/Lineage.DJA Disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\winform.dll.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-3996754506-1438885519-1629662125-1004\Dc6.exe[ComboFixT\nircmd.cfexe]
Adware:Adware/BaiduBar Not disinfected C:\temp\9999avps.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#11 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 02 May 2007 - 01:37 AM

Hello again,
Boot into Safe Mode and delete the following folders:

C:\Deckard
C:\QooBox

And the following files:

C:\Documents and Settings\Tina\My Documents\FCZ048-5.rar[krnln.fne]
C:\Documents and Settings\Tina\My Documents\FCZ048-5.rar[krnln.fnr]
C:\temp\9999avps.exe

Navigate to C:\temp and delete all of its contents.

Boot back into Normal Mode and let me know how things seem to be running now.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#12 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 02 May 2007 - 09:34 AM

Hi Charles,

After deleting the above, i rescanned with activescan and came up with the below.


Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Tina\Cookies\tina@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Tina\Cookies\tina@doubleclick[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-3996754506-1438885519-1629662125-1004\Dc6.exe[ComboFixT\nircmd.cfexe]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe

#13 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 02 May 2007 - 09:39 AM

The cookies are okay, and the one bad entry is a file in your recycle bin, so emptying that will sort this out.
How's your computer running?

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#14 suno2koo

suno2koo
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 02 May 2007 - 12:21 PM

Looks like its all back to normal and running smooth.

#15 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:47 AM

Posted 02 May 2007 - 01:07 PM

Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users