Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

9129837.exe, Blank Desktop, Hacktoolkit found and trojan horses!&

Started by Joshermon , Oct 20 2006 02:15 PM

  • This topic is locked This topic is locked

#1
Joshermon
Posted 20 October 2006 - 02:15 PM

Joshermon

    New Member

  • Member
  • Pip
  • 7 posts
Recently norton found a hacktoolkit and then some trojan horses virus started to show up. I got a security warning to run BraveSentry. So I did like an idiot. I ran the following:

Norton Corporate Edition All File Scan - removed all infections except one.
Adaware - twice
AVG - once removed everything
Panda Activescan - created report (see below)
Have windows SP2
Ran Hijack This - Created Report (See Below)

Here are the reports:

Logfile of HijackThis v1.99.1
Scan saved at 12:45:31 PM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINNT\system32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Farmer21\Local Settings\Temporary Internet Files\Content.IE5\IVCNQX2P\HijackThis[1].exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42DCD648-CE30-1242-FF24-08F8E4F787D5} - C:\WINNT\system32\pnmqkdf.dll
O2 - BHO: (no name) - {5CCE4F0A-3647-17BE-5149-0438ED5E83FA} - C:\WINNT\system32\zrvjgi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [tvxabcd.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\tvxabcd.dll,wiysgne
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download2.gam...nts/y/pt3_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1153715061406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:52:20 AM 10/20/2006

+ Scan result:



C:\Program Files\BraveSentry -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\BraveSentry.lic -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\Uninstall.exe -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Downloads\MLBcomShuffleSetup-dm[1].exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\1.dlb -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\system32\dlh9jkdq1.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\vx2.game -> Downloader.Small.cib : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\5.dlb -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\WINNT\system32\dlh9jkdq5.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\WINNT\system32\kernels1118.exe -> Downloader.Small.dgk : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\vxt2.game -> Downloader.Small.dwx : Cleaned with backup (quarantined).
C:\WINNT\system32\kernels8.exe -> Downloader.Tibs.if : Cleaned with backup (quarantined).
C:\lo731225535.exe -> Downloader.Tibs.if : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\ctaijydv.exe -> Hijacker.Small.cc : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temporary Internet Files\Content.IE5\Y01LF7ZR\runfile[1].exe -> Hijacker.Small.cc : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\vx1.game -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\WINNT\system32\vxgame1.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
[232] C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Farmer21\Cookies\farmer21@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Farmer21\Cookies\farmer21@clickbank[2].txt -> TrackingCookie.Clickbank : Cleaned.
C:\Documents and Settings\Farmer21\Cookies\farmer21@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Farmer21\Cookies\farmer21@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Farmer21\Local Settings\Temp\maxdd1.game -> Trojan.Dialer.ay : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\temp.fr7684 -> Trojan.Dialer.ay : Cleaned with backup (quarantined).
C:\Documents and Settings\Farmer21\Local Settings\Temp\vx3.game -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\9129837.exe -> Trojan.Small.bs : Cleaned with backup (quarantined).
C:\WINNT\system32\adir.dll -> Worm.Banwarum.f : Cleaned with backup (quarantined).


::Report end

UNINSTAL LIST___________________________

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.8
ArcSoft Multimedia Email
ArcSoft PhotoImpression 5
AVG Anti-Spyware 7.5
Battlefield 2™
Creative WebCam Center
Creative WebCam Instant Driver (1.01.02.0729)
Creative WebCam Instant User's Guide (English)
Diego`s Wolf Pup Rescue (remove only)
EA SPORTS online 2004
Get Yahoo! Messenger
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Intel® PRO Network Connections
LiveUpdate 1.80 (Symantec Corporation)
Microsoft Office 2000 SR-1 Professional
MSN Music Assistant
NBA LIVE 2004
NVIDIA Drivers
Panda ActiveScan
Paradise Poker
Shockwave
Skype 2.5
SoundMAX
Symantec AntiVirus Client
Tiger Woods PGA TOUR 2004
Windows Media Format Runtime
Windows Media Player 10

------------------------------------------

Activescan-


Incident Status Location

Adware:adware/adsmart Not disinfected c:\winnt\system32\dlh9jkdq2.exe
Adware:adware/bravesentry Not disinfected Windows Registry
Please help. Any ideas on where to start?

Joshermon
  • 0

Advertisements

#2
Tigger93
Posted 20 October 2006 - 03:31 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Please download Vundofix, and follow these instructions:
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Please download SmitfraudFix (by S!Ri). Extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and pressing Enter. Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hitting Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hitting Enter.

A reboot may be needed to finish the cleaning process. If your computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log, and will locate it at C:\rapport.txt. Please post that log along with all others requested in your next reply.

Please post the Smitfuadfix report, the Vundofix log and a new HJT log please. :whistling:
  • 0

#3
Joshermon
Posted 20 October 2006 - 03:48 PM

Joshermon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the vunofit text. I am doing the next step now


VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 2:37:54 PM 10/20/2006

Listing files found while scanning....

C:\WINNT\system32\ifslixb.dll
C:\WINNT\system32\pnmqkdf.dll

Beginning removal...

Attempting to delete C:\WINNT\system32\ifslixb.dll
C:\WINNT\system32\ifslixb.dll Has been deleted!

Attempting to delete C:\WINNT\system32\pnmqkdf.dll
C:\WINNT\system32\pnmqkdf.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#4
Joshermon
Posted 20 October 2006 - 04:04 PM

Joshermon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the HiJackThis

Logfile of HijackThis v1.99.1
Scan saved at 3:03:28 PM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\adirss.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Farmer21\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {42DCD648-CE30-1242-FF24-08F8E4F787D5} - C:\WINNT\system32\pnmqkdf.dll (file missing)
O2 - BHO: (no name) - {5CCE4F0A-3647-17BE-5149-0438ED5E83FA} - C:\WINNT\system32\zrvjgi.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [tvxabcd.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\tvxabcd.dll,wiysgne
O4 - HKLM\..\Run: [adir] C:\WINNT\system32\adirss.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download2.gam...nts/y/pt3_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1153715061406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

Here is the other thing you needed.

SmitFraudFix v2.112

Scan done at 14:54:17.89, Fri 10/20/2006
Run from C:\Documents and Settings\Farmer21\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINNT\system32\dlh9jkdq?.exe Deleted
Problem while deleting C:\WINNT\system32\taskdir.exe
C:\WINNT\system32\taskdir~.exe Deleted
Problem while deleting C:\WINNT\system32\zlbw.dll

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINNT\system32\taskdir.exe Deleted
C:\WINNT\system32\zlbw.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» End

Edited by Joshermon, 20 October 2006 - 04:27 PM.

  • 0

#5
Tigger93
Posted 20 October 2006 - 04:31 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Open HijackThis and fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

O2 - BHO: (no name) - {42DCD648-CE30-1242-FF24-08F8E4F787D5} - C:\WINNT\system32\pnmqkdf.dll (file missing)
O2 - BHO: (no name) - {5CCE4F0A-3647-17BE-5149-0438ED5E83FA} - C:\WINNT\system32\zrvjgi.dll

O4 - HKLM\..\Run: [tvxabcd.dll] C:\WINNT\system32\rundll32.exe C:\WINNT\system32\tvxabcd.dll,wiysgne
O4 - HKLM\..\Run: [adir] C:\WINNT\system32\adirss.exe

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai...5/installer.exe

O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, th

is is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINNT\system32\adirss.exe
    C:\WINNT\system32\zrvjgi.dll
    C:\WINNT\system32\tvxabcd.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post a new HJT log. :whistling:
  • 0

#6
Joshermon
Posted 20 October 2006 - 06:12 PM

Joshermon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is the last HJT Log File.

Logfile of HijackThis v1.99.1
Scan saved at 5:12:15 PM, on 10/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Farmer21\Desktop\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Poker - http://download2.gam...nts/y/pt3_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1153715061406
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
  • 0

#7
Joshermon
Posted 21 October 2006 - 01:39 PM

Joshermon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Everything looked good until this morning. I havent even been online yet and here is what Norton detected.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\System Volume Information\_restore{6ECC1D9C-B211-4ABC-A3D5-FF2A7CD86394}\RP2\A0000057.exe
Location: C:\System Volume Information\_restore{6ECC1D9C-B211-4ABC-A3D5-FF2A7CD86394}\RP2
Computer: FARMER2
User: SYSTEM
Action taken: Delete succeeded : Access denied
Date found: Saturday, October 21, 2006 12:24:18 PM

Any ideas on how it keeps comming back?

JOshermon
  • 0

#8
Tigger93
Posted 22 October 2006 - 12:21 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus (these are also free for personal use):It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visitmonthly. And to keep your system clean run these free malware scannersweekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

If you still have any problems, please let me know. This also will fix the problem Norton is saying since were flushing your System Restore. :whistling:
  • 0

#9
Joshermon
Posted 22 October 2006 - 03:32 PM

Joshermon

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for all of your help. Everything is running smothly!

You guys rock :whistling:
  • 0

#10
Tigger93
Posted 24 October 2006 - 07:38 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP