Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93105 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed]Virus? Trojan? Please Help


  • This topic is locked This topic is locked
8 replies to this topic

#1 wertpol

wertpol

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 19 July 2007 - 06:06 AM

Hi,

I'm running XP with broadband internet.

Recently when I was online, my wallpaper went red and I kept getting warnings, and alerts at the bottom of my screen and directed to a site to purchase spyware removal software. Also my tak manager was disabled.

I managed to fix these issues by running AVG and Spybot but now when I connect to the internet my sent bytes increase at an astonishing rate. In 10min my computer would have uploaded about 500MB. Just continual uploadeing.

This has rendered my internet useless as all my bandwidth is being used up by this constant uploading. So I cannot even view webpages or download.

A freind told me that I should go to housecall.com to run a test but as I can't even view webpages this is impossible.

I have also been told that I may need to format my pc from my XP disc but as everything else seems to be working perfectly and this is the only issue. I don't want to have to do this.

Any help would be greatly appreciated.

I ran hijackthis and here is my log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\windows\system32\mstsdsc.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\lxcicoms.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winamp.exe
C:\Documents and Settings\Chris\My Documents\Avant Browser\avant.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [agent] C:\WINDOWS\System32\agent.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mstsdsc.exe] c:\windows\system32\mstsdsc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [PowerBar] "\PowerBar.exe" /AtBootTime
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\Chris\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\Chris\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\Chris\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\Chris\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\Chris\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\Chris\My Documents\Avant Browser\Search.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system32\tmwsock.dll
O10 - Broken Internet access because of LSP provider 'rsvp322.dll' missing
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.de...iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170727795031
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: MS Software Shadow Download Provider (dnlsvc) - Unknown owner - C:\DOCUME~1\Chris\LOCALS~1\Temp\dnlsvc.exe (file missing)
O23 - Service: lxci_device - - C:\WINDOWS\System32\lxcicoms.exe
O23 - Service: Wireless Zero Configuration WZCSVCSamSs (WZCSVCSamSs) - Unknown owner - C:\WINDOWS\System32\APPXEC32n.exe

    Advertisements

Register to Remove


#2 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 19 July 2007 - 10:55 AM

Hello wertpol :)

My name is SNOWHITE and I will be helping you with your Malware problem.

There is a backdoor trojan detected on your system. This gives hackers full access to everything stored on the computer!

I recommend these actions:

1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

More info can be found here:


How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?


Some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft...gmt/sm0704.mspx

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS.

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

If you choose to format and reinstall see this link for instructions:
http://www.cyberwalk...nstall-faq.html

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.


Best regards,
SNOWHITE
Posted Image

#3 wertpol

wertpol

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 19 July 2007 - 10:36 PM

Thankyou for that info.

That is very worrying about passwords etc.

Even if I didn't enter any passwords or numbers while this trojan was on my pc, could the information still have been obtained?

I attempted to rid my computer of the harmful files with the use of autoruns and AVG and now the problem doesn't exist.

But I'm very worried about my information being stolen.

Here is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:26 PM, on 20/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\WINDOWS\System32\lxcicoms.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\Microsoft Office\Office\excel.exe
C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\calc.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PowerBar] "\PowerBar.exe" /AtBootTime
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\Chris\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\Chris\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\Chris\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\Chris\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\Chris\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\Chris\My Documents\Avant Browser\Search.htm
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.de...iler/SysPro.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170727795031
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39A0A67B-2075-46D2-B506-E19CB73C1D7D}: NameServer = 203.31.48.7 203.31.48.11
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxci_device - - C:\WINDOWS\System32\lxcicoms.exe

#4 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 20 July 2007 - 06:54 PM

Hello wertpol,

Even if I didn't enter any passwords or numbers while this trojan was on my pc, could the information still have been obtained?


Well, it is very hard to tell. It depends on what kind of infection there is, how long the infection was present at the computer and also if there were/are other hidden processes etc.

I attempted to rid my computer of the harmful files with the use of autoruns and AVG and now the problem doesn't exist.


Your log seems to be clean now, but we will do some more research.

Please follow these steps:

Step #1


* Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm.


* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Step #2

Please do an online scan with Kaspersky WebScanner

NOTE: This Scanner will work with Internet Explorer Only!


Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As... button:
  • Under Save as type select Text file write name for the file and save it to your Desktop.
  • Locate the file at the Desktop, open it, then copy and paste that information in your next post.
Step #3

Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

Step #4
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.
In your next post please include the following reports:
  • Kaspersky report
  • GMER report
  • uninstall list
Regards,
SNOWHITE
Posted Image

#5 wertpol

wertpol

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 21 July 2007 - 07:20 AM

Kapersky report
Saturday, July 21, 2007 10:56:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/07/2007
Kaspersky Anti-Virus database records: 366099


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 71346
Number of viruses found 9
Number of infected objects 14 / 0
Number of suspicious objects 0
Duration of the scan process 00:48:44

Infected Object Name Virus Name Last Action
C:\229C.tmp Infected: Trojan-PSW.Win32.LdPinch.mn skipped

C:\229F.tmp Infected: Trojan-PSW.Win32.LdPinch.mn skipped

C:\33F9.tmp Infected: Trojan-PSW.Win32.LdPinch.mn skipped

C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\abook.mab Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\cert8.db Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\key3.db Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\Mail\Local Folders\Inbox.msf Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\Mail\Local Folders\Junk.msf Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\Mail\Local Folders\Templates.msf Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\Mail\Local Folders\Trash.msf Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\panacea.dat Object is locked skipped

C:\Documents and Settings\Chris\Application Data\Thunderbird\Profiles\guy85ujr.default\parent.lock Object is locked skipped

C:\Documents and Settings\Chris\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Chris\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\History\History.IE5\MSHist012007072120070722\index.dat Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temp\~ROMFN_00000FE0 Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\7AC3FD0L\bind[1].com&t=1 Object is locked skipped

C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Chris\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Chris\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DML3LHY0\ie[1].php Infected: Exploit.HTML.IframeBof skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023709.sys Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023724.sys Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023744.sys Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023749.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023787.sys Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023805.exe Infected: Trojan-Proxy.Win32.Cimuz.cl skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP101\A0023812.sys Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023847.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023848.sys Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023849.dll Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023850.dll Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023851.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023852.dll Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023853.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023854.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023855.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023856.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023857.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP103\A0023858.exe Object is locked skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP107\A0026304.exe Infected: not-virus:Hoax.Win32.Renos.dk skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP108\A0026657.exe Infected: Trojan-Proxy.Win32.Cimuz.cl skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP108\A0026658.exe Infected: Backdoor.Win32.IRCBot.acn skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP108\A0026659.dll Infected: Trojan-Downloader.Win32.VB.apq skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP108\A0026660.dll Infected: Trojan-Proxy.Win32.Cimuz.cl skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP108\A0026661.dll Infected: Trojan-Downloader.Win32.VB.asx skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP109\A0026719.exe Infected: Trojan-Proxy.Win32.Cimuz.cl skipped

C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP109\change.log Object is locked skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\msorcl32.exe Infected: not-virus:Hoax.Win32.Renos.fn skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


GMER report
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-21 23:18:18
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.13 ----

SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 80502770 4 Bytes [ AC, B8, D2, F7 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 8050298C 4 Bytes [ 12, B8, D2, F7 ]
.text ntdll.dll!NtCreateSection 77F75A21 1 Byte [ E9 ]
.text ntdll.dll!NtCreateSection + 2 77F75A23 3 Bytes [ 12, 0C, FA ]

---- User code sections - GMER 1.0.13 ----

.text C:\Documents and Settings\Chris\My Documents\gmer\gmer.exe[2716] ntdll.dll!NtCreateSection 77F75A21 1 Byte [ E9 ]
.text C:\Documents and Settings\Chris\My Documents\gmer\gmer.exe[2716] ntdll.dll!NtCreateSection + 2 77F75A23 3 Bytes [ 12, 0C, FA ]

---- User IAT/EAT - GMER 1.0.13 ----

IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\System32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\System32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL
IAT C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE[296] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [01687376] C:\PROGRA~1\MOZILL~1\extensions\talkback@mozilla.org\components\FULLSOFT.DLL

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F7B55404] avg7rsw.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7BBF85A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7BBF85A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7BBF85A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7BBF85A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7BBF85A] avgtdi.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F7B55404] avg7rsw.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F7B55404] avg7rsw.sys

---- EOF - GMER 1.0.13 ----


uninstall list
AVG 7.5
AVG Anti-Spyware 7.5
BitLord 1.1
Broadcom Gigabit Integrated Controller
Bruce's Unusual Typing Wizard, Version 1.5.0
Commandos Strike Force Demo
Digital TV Box
DivX Codec
DivX Converter
DivX Player
DVD Solution
ExtractNow
GameShadow
HijackThis 1.99.1
Hitman Blood Money
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 3
Kaspersky Online Scanner
Lexmark 7300 Series
LG Internetkit
LG PhoneManager
LG SyncManager
LG USB Modem driver
LimeWire 4.12.11
Mavis Beacon Teaches Typing Deluxe 16
Microsoft .NET Framework 2.0
Microsoft Office 97, Standard Edition
Microsoft SOAP Toolkit 3.0
Mozilla Thunderbird (1.5.0.12)
Multimedia Launcher
MYOB Accounting Plus v15
MYOB AssetManager Pro v3 Test Drive
PowerDVD
Presto! Forms 3.50.01
Presto! PageManager 7.12.02
Presto! PVR
Print to Fax
SoundMAX
Spybot - Search & Destroy 1.4
Stamina 2.5
Ten Thumbs 4.5.1
Update for Windows XP (KB898461)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB822603
Windows XP Hotfix - KB842773
WinRAR archiver

#6 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 22 July 2007 - 09:53 AM

Hello wertpol,

PLEASE READ THIS POST COMPLETELY, IT MAY MAKE IT EASIER FOR YOU IF YOU COPY AND PASTE THIS POST INTO A NEW TEXT DOCUMENT OR PRINT IT FOR REFERENCE LATER



Please follow the steps below exactly in the order they are written:

Step #1

Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\229C.tmp
    C:\229F.tmp
    C:\33F9.tmp
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DML3LHY0\ie[1].php
    C:\WINDOWS\system32\msorcl32.exe


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe* Download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Use your up arrow key to highlight SafeMode then hit Enter.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


[*]Doubleclick the drweb-cureit.exe file and Allow to run the express scan
[*]This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
[*]Once the short scan has finished, Click Options > Change settings
[*]Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
[*]Back at the main window, mark the drives that you want to scan.
[*]Select all drives. A red dot shows which drives have been chosen.
[*]Click the green arrow at the right, and the scan will start.
[*]Click 'Yes to all' if it asks if you want to cure/move the file.
[*]When the scan has finished, look if you can click next icon next to the files found: Posted Image
[*]If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
Posted Image
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
[*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
[*]Save the report to your desktop. The report will be called DrWeb.csv
[*]Close Dr.Web Cureit.
[*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
[*]After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
[/list]Post back with Dr.Web CureIt report and new HijackThis log.


Regards,
SNOWHITE
Posted Image

#7 wertpol

wertpol

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 23 July 2007 - 09:49 AM

Dr Web Cure it log

A0027858.dll;C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP170;Trojan.PWS.Tanspy;Deleted.;
A0027859.exe;C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP170;BackDoor.Generic.1599;Deleted.;
A0027860.exe;C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP170;Tool.Prockill;Incurable.Moved.;
A0027861.exe;C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP170;Tool.ShutDown.11;Incurable.Moved.;
A0027862.exe;C:\System Volume Information\_restore{811737B7-0320-47E4-BE1E-1BC038C5139F}\RP170;Tool.Prockill;Incurable.Moved.;

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 1:16:26 AM, on 24/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Lexmark 7300 Series\lxcimon.exe
C:\Program Files\Lexmark 7300 Series\ezprint.exe
C:\WINDOWS\System32\lxcicoms.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft Office\Office\excel.exe
C:\Program Files\Avant Browser\avant.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [LXCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCItime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxcimon.exe] "C:\Program Files\Lexmark 7300 Series\lxcimon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7300 Series\ezprint.exe"
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [PowerBar] "\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: Add to AD Black List - C:\Documents and Settings\Chris\My Documents\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Documents and Settings\Chris\My Documents\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Documents and Settings\Chris\My Documents\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Documents and Settings\Chris\My Documents\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Open In New Avant Browser - C:\Documents and Settings\Chris\My Documents\Avant Browser\OpenInNewBrowser.htm
O8 - Extra context menu item: Search - C:\Documents and Settings\Chris\My Documents\Avant Browser\Search.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://supportapj.de...iler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170727795031
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1185122856468
O16 - DPF: {E856B973-45FD-4559-8F82-EAB539144667} (Dell PC Checkup Installer Control) - http://pccheckup.del...ll/gtdownde.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39A0A67B-2075-46D2-B506-E19CB73C1D7D}: NameServer = 203.31.48.7 203.31.48.11
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: lxci_device - - C:\WINDOWS\System32\lxcicoms.exe

#8 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 26 July 2007 - 01:04 PM

Hello wertpol,

Sorry for the delay, due to some personal problems i was not able to reply to you earlier.

Step #1

Please re-open HiJackThis and click on "Do a system scan only". Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

* Optional

The next program is very likely the reason your system is infested with malware. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove these programs from your system.

BitLord 1.1
LimeWire 4.12.11


Step #2

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 2 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Read the License Agreement and then check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • J2SE Runtime Environment 5.0 Update 3
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Step #3

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

- ZoneAlarm

- Comodo - If you decide to install Comodo, here is a good and easy to understand tutorial http://www.nordicnat...ials/index.html

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Please post back with new HijackThis log.

Have you run OTMoveIt to remove the files instructed from my previous post?
How is the computer running?


Regards,
SNOWHITE
Posted Image

#9 SNOWHITE

SNOWHITE

    Retired GTG Staff

  • Authentic Member
  • PipPip
  • 165 posts

Posted 12 August 2007 - 05:22 AM

Due to inactivity this topic will be closed. If you need help please start a new thread and post a new HJT log
SNOWHITE
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users