Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Viruses that just don't go away AVG Can't Fix


  • Please log in to reply

#1
sacaircooled

sacaircooled

    New Member

  • Member
  • Pip
  • 1 posts
I am trying to track down a trojan horse that AVG kees trying to fix but keeps coming up.

Everytime I open Firefox, 3 pages under IE open up with ads.

I upgraded to New Firefox, and IE7, but am still having the same probles.

So far AVG has disabled my World Of Warcraft Game and has moved several files to it's vault.

it found a virus named:

I-Worm/Luder.A

Along with a ton of other viruses and worms.


I also ran Hijackthis, and here's the report it gave me:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:20 AM, on 1/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\Program Files\Common Files\{2C5A3BF1-0710-1033-0916-050928000001}\Update.exe
C:\windows\system32\nodsregq.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\eFax Messenger 4.2\J2GTray.exe
C:\WINDOWS\system32\mwinpoea.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jason\My Documents\downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O1 - Hosts: localhost 127.0.0.1
O1 - Hosts: 247.72.21.10 securityresponse.symantec.com
O1 - Hosts: 31.55.138.11 symantec.com
O1 - Hosts: 240.73.142.206 www.sophos.com
O1 - Hosts: 172.126.175.193 sophos.com
O1 - Hosts: 155.150.25.213 www.mcafee.com
O1 - Hosts: 53.119.246.59 mcafee.com
O1 - Hosts: 140.47.237.67 liveupdate.symantecliveupdate.com
O1 - Hosts: 192.138.6.234 www.viruslist.com
O1 - Hosts: 82.190.150.229 viruslist.com
O1 - Hosts: 175.181.19.148 viruslist.com
O1 - Hosts: 206.254.184.190 f-secure.com
O1 - Hosts: 156.215.6.5 www.f-secure.com
O1 - Hosts: 168.112.254.218 kaspersky.com
O1 - Hosts: 80.75.158.8 kaspersky-labs.com
O1 - Hosts: 71.220.5.245 www.avp.com
O1 - Hosts: 205.84.48.195 www.kaspersky.com
O1 - Hosts: 102.42.223.250 avp.com
O1 - Hosts: 100.92.109.80 www.networkassociates.com
O1 - Hosts: 171.128.46.71 networkassociates.com
O1 - Hosts: 90.129.190.46 www.ca.com
O1 - Hosts: 221.65.184.67 ca.com
O1 - Hosts: 156.238.51.1 mast.mcafee.com
O1 - Hosts: 33.197.39.79 my-etrust.com
O1 - Hosts: 15.138.117.40 www.my-etrust.com
O1 - Hosts: 193.120.194.245 download.mcafee.com
O1 - Hosts: 216.244.89.24 dispatch.mcafee.com
O1 - Hosts: 150.185.199.120 secure.nai.com
O1 - Hosts: 210.209.116.13 nai.com
O1 - Hosts: 110.144.73.39 www.nai.com
O1 - Hosts: 248.228.73.11 update.symantec.com
O1 - Hosts: 140.175.160.9 updates.symantec.com
O1 - Hosts: 116.127.3.177 us.mcafee.com
O1 - Hosts: 59.79.115.85 liveupdate.symantec.com
O1 - Hosts: 173.62.63.90 customer.symantec.com
O1 - Hosts: 230.76.197.55 rads.mcafee.com
O1 - Hosts: 121.147.229.131 trendmicro.com
O1 - Hosts: 78.28.25.111 www.trendmicro.com
O1 - Hosts: 72.37.152.30 www.grisoft.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C5A3~1\Bar888.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ymnschm.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ymnschm.dll,ilzjmdg
O4 - HKLM\..\Run: [dePloy] InpriseMon.exe
O4 - HKLM\..\Run: [defect08] AppMasterCenter.exe
O4 - HKLM\..\Run: [Ultimate Defender] "C:\Program Files\Ultimate Defender\App.exe" hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [{2C5A3BF1-0710-1033-0916-050928000001}] "C:\Program Files\Common Files\{2C5A3BF1-0710-1033-0916-050928000001}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [{A3-3B-BF-F1-ZN}] C:\windows\system32\nodsregq.exe SED001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mwinpoea.exe SED001
O4 - HKLM\..\Run: [sasun] C:\WINDOWS\sasunx.exe
O4 - HKLM\..\Run: [qwertybot.exe] C:\WINDOWS\system32\qwertybot.exe
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\gkbythjq.dll",setvm
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.6.2.15\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [3d6627a1.exe] C:\Documents and Settings\Jason\Local Settings\Application Data\3d6627a1.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\2\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [winsock32] winsock32
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - Startup: .protected
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\mwinpoea.exe
O4 - Global Startup: .protected
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: eFax 4.2.lnk = C:\Program Files\eFax Messenger 4.2\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?f97b50594e064d768f8d69500db3368b
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?f97b50594e064d768f8d69500db3368b
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay10...es/MsnPUpld.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9E6E013B-2FB8-4CD0-A117-4A0FD3CBDE78}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{ACE013D0-474E-4EFA-AFAC-046A87D0314A}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{9E6E013B-2FB8-4CD0-A117-4A0FD3CBDE78}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi202371.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: winsock32 (winsock32.exe) - Unknown owner - C:\WINDOWS\winsock32.exe (file missing)

Can you tell me if there is something on that list I need to delete?

I also have a problem with SP2, after the install I have lost the ability to display any desktop wallpaper other than the blue background, when I open the display properties, it shows the list of files, but they are grey instead of white and I cannot click on them or the browse button. The only desktop display I can get is webpages.




:whistling: :blink: :help: :) :rofl: :rofl: :help: :lol: :D :)
  • 0

Advertisements


#2
Kenny94

Kenny94

    Member 1K

  • Member
  • PipPipPipPip
  • 1,595 posts
Hello sacaircooled and Welcome to Geeks To Go!

WOW! You have a lot of infections! Just about all of them... We should be able to clean these up.. :whistling:

Before we are going to deal with the entries of the log I would like to see what we can get rid of in the normal way.

I would like you to generate a "Add/Remove Software list" log using the HijackThis application. Here is how you can do this:


* Open Hijackthis, In the lower right corner click the "Config..." (Configuration) button.
* Once in the "Configuration" panel, click "Misc Tools" button.
* Then click the "Open Uninstall Manager..." button.
* The "Add/Remove Programs Manager" panel should appear.
* In this panel click the "Save list" button.
* Save the "uninstall_list.txt" file to its default location.
* Then copy and paste the notepad text that appears in the generated "unistall_list.txt" file in a reply to this post.

Also, It is likely that you have a variant of the Vundo trojan that hides itself from HijackThis.exe so if we rename HijackThis, the entries should become visible.

Go to the C:\Program Files\HijackThis folder. Right click on the HijackThis.exe file and select "Rename". Rename it geek.exe.

In your next reply, please include these log(s):

* HijackThis Uninstall List
* HijackThis log (new)


Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

Edited by Kenny94, 30 January 2007 - 07:24 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP