Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Computer crashing when running adaware/avg etc

Started by San77 , Feb 01 2007 02:05 AM

  • This topic is locked This topic is locked

#1
San77
Posted 01 February 2007 - 02:05 AM

San77

    New Member

  • Member
  • Pip
  • 5 posts
Hi guys, i hope you can help me. my second machine has ben acting very strangely. IE has been crashing randomly for a while so i thought i woudl run AVG and Ad-Aware personnel (the two programs have always been very useful) to see if i could find what the problem was. unfortunatley, whenever i run these they crash after a few seconds, and the computer goes to a blue screen with a fatal exception error.

i had a look on your forumns here and there seemed to be a few others suffering the same way. so i stopped ad-aware the moment it found a problem. i coudl see that the problem it found was called win32.trojandownloader.conhook but before i can remove it the computer heads back to that blue screen.

please please please help.

below is the log from HiJack this. i hope i have done this correctly. i also scanned with ATf prior to running the hijackthis scan, as suggested in the stick post.

San.

Logfile of HijackThis v1.99.1
Scan saved at 3:59:23 PM, on 1/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\csvhost.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {23314D99-1240-4d4f-A25C-17E44823D048} - C:\WINDOWS\System32\ipv6monl.dll
O2 - BHO: (no name) - {2e053ad7-678b-4af8-b5ac-49fc52a7c991} - C:\WINDOWS\system32\msenec6.dll
O2 - BHO: (no name) - {36DBC179-A19F-48F2-B16A-6A3E19B42A87} - C:\WINDOWS\System32\ipv6monl.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\tmp4.tmp.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [csvhost.exe] c:\windows\system32\csvhost.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MSN] "C:\WINDOWS\System32\msn.exe" /INITSERVICE
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\hgfcay.dll",setvm
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O20 - AppInit_DLLs:
O20 - Winlogon Notify: msenec6 - C:\WINDOWS\SYSTEM32\msenec6.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Edited by San77, 01 February 2007 - 08:11 AM.

  • 0

Advertisements

#2
kahdah
Posted 02 February 2007 - 02:49 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello San77

Welcome to G2Go. :whistling:
My name is Kahdah and I will be helping you with your Malware problem.
As I am still in training I will be helping you under supervision of our expert teachers,so there may be a delay between posts.

I will be back with you as soon as possible.
  • 0

#3
San77
Posted 02 February 2007 - 05:38 PM

San77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Kahdah,

thanks so much for replying. absolutely no problem at all with delays, im grateful for any help i can get.

San.
  • 0

#4
kahdah
Posted 02 February 2007 - 06:13 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello San77 :whistling:

First you have no Anti-virus protection.

I will need you to download this anti-virus program and install it.
This is a free anti-virus program.
AVG.
Please download and install this program.

Secondly you have no firewall running.
This is a definite Must have.
We will get you a free one after you are cleaned up.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of rsvp32_2.dll.
  • Select every instance of rsvp32_2.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.

    After that please Download SDFix and save it to your Desktop.
    Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.

    After that please download VundoFix.exe to your desktop.

    Do not do anything with these programs yet.

    Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

After reboot please Run VundoFix:
1. Double-click VundoFix.exe to run it.
2. Click the Scan for Vundo button.
3. Once it's done scanning, click the Remove Vundo button.
4. You will receive a prompt asking if you want to remove the files, click YES
5. Once you click yes, your desktop will go blank as it starts removing Vundo.
6. When completed, it will prompt that it will reboot your computer, click OK.
7. Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

After doing these things please post back with these logs.:
*SDFix log
*Vundo fix log
*New Hijackthis log.
  • 0

#5
San77
Posted 03 February 2007 - 03:14 AM

San77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
thanks for gettign back to me kahdah,

i have run through the steps as directed, please fin dthe reports below. as for the virus protection i should be runnnig avg already, maybe someone here turned it off for some reason i will have a look. any tips you can give for firewalls be awesonme.

thanks agani for all your help.

hijack this report:

Logfile of HijackThis v1.99.1
Scan saved at 5:09:26 PM, on 3/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\services.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {23314D99-1240-4d4f-A25C-17E44823D048} - C:\WINDOWS\System32\ipv6monl.dll (file missing)
O2 - BHO: (no name) - {2e053ad7-678b-4af8-b5ac-49fc52a7c991} - C:\WINDOWS\system32\msenec6.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\tmp4.tmp.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O20 - AppInit_DLLs:
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\bzntso.dll
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

SD FIX report:


SDFix: Version 1.63

Sat 03/02/2007 - 16:37:49.23

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc
wincom32

Path:
C:\WINDOWS\System32\msasvc.exe
\??\C:\WINDOWS\System32\wincom32.sys

MsaSvc Deleted
wincom32 Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\game0.exe.exe - Deleted
C:\WINDOWS\system32\game5p.exe.exe - Deleted
C:\DOCUME~1\aa\LOCALS~1\Temp\installer.exe - Deleted
C:\DOCUME~1\aa\LOCALS~1\Temp\temp_126484.bat - Deleted
C:\WINDOWS\comdlj32.dll - Deleted
C:\WINDOWS\system32\adir.dll - Deleted
C:\WINDOWS\system32\adv.txt - Deleted
C:\WINDOWS\system32\autosys.exe - Deleted
C:\WINDOWS\system32\csvhost.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q1.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q5.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q6.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q2.exe~ - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\hook.dll - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\ipv6monk.dll - Deleted
C:\WINDOWS\system32\ipv6monl.dll - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted
C:\WINDOWS\system32\kernels88.exe - Deleted
C:\WINDOWS\system32\main.sys - Deleted
C:\WINDOWS\system32\msasvc.exe - Deleted
C:\WINDOWS\system32\msn.exe - Deleted
C:\WINDOWS\system32\spoolsvv.exe - Deleted
C:\WINDOWS\system32\svcp.csv - Deleted
C:\WINDOWS\system32\taskdir.exe - Deleted
C:\WINDOWS\system32\vxga1me4t1.exe - Deleted
C:\WINDOWS\system32\vxga3me2.exe - Deleted
C:\WINDOWS\system32\vxga4m1et4.exe - Deleted
C:\WINDOWS\system32\vxga4me1.exe - Deleted
C:\WINDOWS\system32\vxga8me6.exe - Deleted
C:\WINDOWS\system32\vxg3am1et3.exe - Deleted
C:\WINDOWS\system32\vxg4am1et2.exe - Deleted
C:\WINDOWS\system32\vxg6ame4.exe - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\wincom32.sys - Deleted
C:\WINDOWS\system32\winsub.xml - Deleted
C:\WINDOWS\xpupdate.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

Rootkit PE386 maybe active, Use a Rootkit scanner!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"c:\\windows\\n5z.exe"="c:\\windows\\n5z.exe:*:Enabled:n5z"
"c:\\windows\\system32\\csvhost.exe"="c:\\windows\\system32\\csvhost.exe:*:Enabled:csvhost"


Remaining Files:
---------------
C:\WINDOWS\system32\rsvp32_2.dll Found - LSP

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\THQ\Dawn Of War\Disk1CheckW40k.EXE
C:\WINDOWS\system32\Tools\All.exe
C:\WINDOWS\system32\Tools\Change.exe
C:\WINDOWS\system32\Tools\CheckPath.exe
C:\WINDOWS\system32\Tools\Counter.exe
C:\WINDOWS\system32\Tools\DelFolders.exe
C:\WINDOWS\system32\Tools\DirectSetup.exe
C:\WINDOWS\system32\Tools\RegClean.exe
C:\WINDOWS\system32\Tools\Regexe.exe
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\system32\Tools\RunRegexe.exe
C:\Documents and Settings\aa\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\aa\Local Settings\Temp\BIT5.tmp
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341235.TMP

Finished
Vundo report:


VundoFix V6.3.5

Checking Java version...

Java version is 1.5.0.3

Scan started at 5:02:17 PM 3/02/2007

Listing files found while scanning....

C:\WINDOWS\system32\msenec6.dll
C:\WINDOWS\System32\tmp4.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\msenec6.dll
C:\WINDOWS\system32\msenec6.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\tmp4.tmp.dll
C:\WINDOWS\System32\tmp4.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!
  • 0

#6
kahdah
Posted 03 February 2007 - 10:00 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hi San77 :whistling:
Avg is still not showing up in your log please make sure to enable this as you are currently unprotected.

Download Rustbfix from one of these locations:
http://www.uploads.e...et/rustbfix.exe
http://uploads.ejvin...om/Rustbfix.exe
...and save it to your desktop.
Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of these logfiles along with a new HijackThis log in your next reply.


Then please download the Killbox by Option^Explicit.
Note:In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.

After that please download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Then please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please re-open Hjthis and hit scan only.
Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {23314D99-1240-4d4f-A25C-17E44823D048} - C:\WINDOWS\System32\ipv6monl.dll (file missing)
O2 - BHO: (no name) - {2e053ad7-678b-4af8-b5ac-49fc52a7c991} - C:\WINDOWS\system32\msenec6.dll (file missing)
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\System32\tmp4.tmp.dll (file missing)
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\ers_startupmon.exe"
O4 - HKLM\..\Run: [DC6_check] "C:\Program Files\Common Files\WinAntiVirus Pro 2006\dc6_startupmon.exe"
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\bzntso.dll

Now close Hijackthis.

[*] Please double-click Killbox.exe to run it.
[*] Select:
  • Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Common Files\WinAntiVirus Pro 2006
    C:\Windows\xpupdate.exe
    C:\WINDOWS\System32\taskdir.exe
    C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
    C:\WINDOWS\System32\bzntso.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.
    Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
    If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered:
    a file is missing or invalid." when trying to run Killbox, click here to
    download and run missingfilesetup.exe. Then try Killbox again.

    After that
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

    Then run AVG antispyware.
    IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
  • Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

    Then please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report


Please post back with these logs:
*New Hjt log
*AVG Anti-Spyware log
*avenger.txt &rustbfix\pelog.txt)
*Panda Active scan log

And also tell me how things are running. :blink:
  • 0

#7
San77
Posted 04 February 2007 - 11:30 PM

San77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
hey kahdah,

i followed your instructions and please find the logs below. things are runnnig better now, my version of avg must havebecome broken or something becausewhen i tried to run it it crashed.installed the newverison and it worked,althoughwheni tried toscna second time it crashed the machine with a fatal error.

New Hjt log
Logfile of HijackThis v1.99.1
Scan saved at 1:27:28 PM, on 5/02/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\services.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

AVG LOG

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:47:41 AM 5/02/2007

+ Scan result:



C:\Program Files\BraveSentry -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\BraveSentry.lic -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\Program Files\BraveSentry\Uninstall.exe -> Adware.Bravesentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP382\A0109321.dll -> Adware.Companion : Cleaned with backup (quarantined).
E:\Program Files\Picasa\pinstall.dll -> Adware.LookMe : Cleaned with backup (quarantined).
E:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109286.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109287.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109288.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109289.dll -> Adware.SpyMarshal : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109285.exe -> Adware.SpySheriff : Cleaned with backup (quarantined).
E:\WINDOWS\system32\cpqiq.dll -> Adware.WurldMedia : Cleaned with backup (quarantined).
E:\WINDOWS\system32\winbpupd.exe -> Adware.WurldMedia : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP336\A0083800.dll -> Downloader.Nurech.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP382\A0109322.exe -> Downloader.Nurech.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP382\A0109323.exe -> Downloader.Nurech.m : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109237.exe -> Downloader.Obfuscated.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109239.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109241.exe -> Downloader.Small.agq : Cleaned with backup (quarantined).
C:\WINDOWS\uwr3wqje.exe -> Downloader.Tiny.fl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108240.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109263.sys -> Dropper.Agent.bbv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109246.dll -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110339.exe -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110340.exe -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110343.exe -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110367.exe -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110368.exe -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110371.exe -> Logger.BZub.eh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP365\A0096048.dll -> Logger.BZub.gq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP366\A0096053.exe -> Logger.BZub.gr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP366\A0096065.exe -> Logger.BZub.gr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP367\A0096072.exe -> Logger.BZub.gr : Cleaned with backup (quarantined).
C:\WINDOWS\english.exe -> Logger.BZub.gr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109248.dll -> Logger.BZub.hg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109247.dll -> Logger.BZub.ht : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109238.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110338.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110342.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110344.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110348.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110366.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110370.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110372.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110376.exe -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rsvp32_2.dll -> Proxy.Cimuz.bw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109224.dll -> Proxy.Small : Cleaned with backup (quarantined).
E:\Documents and Settings\Adam\Cookies\adam@com[1].txt -> TrackingCookie.Com : Cleaned.
E:\Documents and Settings\Adam\Cookies\[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109302.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP382\A0109328.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP382\A0110328.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110336.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110362.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110365.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110383.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110391.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110418.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wsys.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
[472] C:\WINDOWS\System32\wsys.dll -> Trojan.Agent.ady : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108227.exe -> Trojan.Agent.oh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109257.exe -> Trojan.Agent.oh : Cleaned with backup (quarantined).
[1588] VM_13140000 -> Trojan.Agent.zq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110341.exe -> Trojan.Delf.yz : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110369.exe -> Trojan.Delf.yz : Cleaned with backup (quarantined).
C:\fsuls.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\gtroncwt.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\lvnu.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\lypq.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\mtiytn.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\yvatjug.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109250.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP366\A0096054.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP366\A0096066.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP378\A0102108.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108231.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108234.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108235.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108236.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0108237.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109258.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109259.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110345.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110346.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP383\A0110347.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110373.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110374.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP384\A0110375.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B68FB5FC-E2C8-4448-B972-7D1F2E384EB9}\RP381\A0109251.exe -> Trojan.Zapchast.cm : Cleaned with backup (quarantined).


::Report end

avenger log


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mjesqpxu

*******************

Script file located at: \??\C:\WINDOWS\vouvsmua.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

rustbix

************************* Rustock.b-fix -- By ejvindh *************************
Mon 05/02/2007 9:34:05.04

No Rustock.b-rootkits found

******************************* End of Logfile ********************************

panda san


Incident Status Location

Virus:trj/torpig.a Disinfected Operating system
Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\documents and settings\all users\application data\WinAntiVirus Pro 2006
Adware:adware/sahagent Not disinfected Windows Registry
Virus:trj/qhost.gen Disinfected Operating system
Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\aa\Application Data\Install.dat
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\hgfcay.dll
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\system32\Tools\Restart.exe
Spyware:Cookie/Xiti Not disinfected E:\Documents and Settings\Adam\Cookies\adam@xiti[1].txt
Potentially unwanted tool:Application/FunWeb Not disinfected E:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.6.inf
  • 0

#8
San77
Posted 05 February 2007 - 12:34 AM

San77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
also, when i restart computer it says that avg has found trojan.ady, i tell AVG to clean it, but very next restart there it is again.

sorry about all of this.
  • 0

#9
kahdah
Posted 05 February 2007 - 08:29 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello San77 :whistling:

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

also, when i restart computer it says that avg has found trojan.ady, i tell AVG to clean it, but very next restart there it is again
It is because that trojan is in your System restore points.We will clean them last.


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

After that download WinPFind2.exe to your Desktop and double-click on it to extract the files.
It will create a folder named WinPFind2 on your desktop.
Close WinPFind2.exe.

After that please* Click here to download FindAWF.exe and save it to your desktop.

Next, please reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

After reboot please run FindAWF.exe (it is on your desktop.)
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
  • Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
After that please run WinPFind2.exe.
  • Open the folder and double-click on winpfind2.exe to start the program. (it is on your desktop)
  • Click on the Services tab.
  • From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
  • Click on the Configuration tab.
  • Keep the standard settings and then in the AddOn-Options box click the checkboxes for
    • HKCU_IEDesktop.def
    • Policies.def
    • SID_Run_Policies.def
    to select them.
  • Under File Options click Select All
  • Under Other Options put a check to both Show All boxes
  • Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
  • Now click the Run All Scans button on the toolbar.
  • When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.
Post back with these logs:
*New Hijackthis log
*C:\rapport.txt (Smitfraud log)
*Find AWF log
*WinPFind log
  • 0

#10
OwNt
Posted 16 February 2007 - 10:08 PM

OwNt

    Malware Expert

  • Retired Staff
  • 7,457 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP