Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

TrojanDownloader.xs! Need help

Started by NWilliams , Dec 09 2007 08:26 PM

  • Please log in to reply

#1
NWilliams
Posted 09 December 2007 - 08:26 PM

NWilliams

    New Member

  • Member
  • Pip
  • 2 posts
Hello!

My desk top turned black with a purple hue surrounding all my icons. In red, there is a large text message saying my computer is infected and what my IP addres is further explaining I should seek antispyware assistance. I then started getting a little yellow triangle on my toolbar that when I clicked stated I have Trojandownloader.xs. When I click the link to go to the Microsoft web page for instructions on what to do Explorer opens up a page that is trying to sell me a spyware removal program. I also get alot of additional pop ups. now my PC is lagging to the point of no return


I am having unbearable lag, i can barely open browsers, i tryed reading the topic on what i should post here, logs but the loading alone takes me 20-30 minutes.

Im not sure what to do here, thank you for your time

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:03 PM, on 12/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\_svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\lpcywinp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Verizon\McciTrayApp.exe
C:\DOCUME~1\NIGELW~1\LOCALS~1\Temp\winlogan.exe
D:\Steam\Steam.exe
C:\Program Files\QdrModule\QdrModule10.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\QdrPack\QdrPack10.exe
C:\DOCUME~1\NIGELW~1\LOCALS~1\Temp\winsto.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\lpcywinp.exe,C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 66.90.103.247 auth.lineage2.com.cn
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O3 - Toolbar: The retnsrp - {9EF873D0-0259-4D2A-AA60-F61FA5B28FE8} - C:\WINDOWS\retnsrp.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [f94mggfhfghodftdf] C:\DOCUME~1\NIGELW~1\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [IESet] IExplorer.dll .dbt
O4 - HKCU\..\Run: [Steam] D:\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - HKCU\..\Run: [f94mggfhfghodftdf] C:\DOCUME~1\NIGELW~1\LOCALS~1\Temp\winlogan.exe
O4 - HKCU\..\Run: [Windows Rescue System] C:\DOCUME~1\NIGELW~1\LOCALS~1\Temp\winsto.exe
O4 - HKCU\..\Run: [IESet] IExplorer.dll .dbt
O4 - HKLM\..\Policies\Explorer\Run: [2totb6QjAn] rundll32.exe "C:\WINDOWS\KBPerf\vijkpqra.dll",DllCleanServer
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45%7

Edited by NWilliams, 09 December 2007 - 08:43 PM.

  • 0

Advertisements

#2
NWilliams
Posted 09 December 2007 - 09:57 PM

NWilliams

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
SUPERAntiSpyware Scan Log
Generated 12/09/2007 at 07:52 PM

Application Version : 3.6.1000

Core Rules Database Version : 3358
Trace Rules Database Version: 1357

Scan type : Complete Scan
Total Scan Time : 01:01:12

Memory items scanned : 401
Memory threats detected : 13
Registry items scanned : 4408
Registry threats detected : 108
File items scanned : 38660
File threats detected : 52

Trojan.Net-Partnership/WL-Resident
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\PARTNERSHIP.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\PARTNERSHIP.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\AWTRQRO.DLL
C:\WINDOWS\SYSTEM32\AWTRQRO.DLL
HKLM\Software\Classes\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32#ThreadingModel
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\TreatAs
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\awtrqro
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\MLJJJ.DLL
C:\WINDOWS\SYSTEM32\MLJJJ.DLL
HKLM\Software\Classes\CLSID\{EAE3FC44-46D1-44AC-B047-C17DBE252DB2}
HKCR\CLSID\{EAE3FC44-46D1-44AC-B047-C17DBE252DB2}
HKCR\CLSID\{EAE3FC44-46D1-44AC-B047-C17DBE252DB2}\InprocServer32
HKCR\CLSID\{EAE3FC44-46D1-44AC-B047-C17DBE252DB2}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EAE3FC44-46D1-44AC-B047-C17DBE252DB2}

Trojan.Downloader-SVCHost/Fake
C:\WINDOWS\SYSTEM32\_SVCHOST.EXE
C:\WINDOWS\SYSTEM32\_SVCHOST.EXE
C:\DOCUMENTS AND SETTINGS\NIGEL WILLIAMS\DESKTOP\IEUPDR2.EXE
C:\DOCUMENTS AND SETTINGS\NIGEL WILLIAMS\IE_UPDATES3R.EXE
C:\WINDOWS\SYSTEM32\~.EXE

Trojan.Unclassified/LPCYWINP
C:\WINDOWS\SYSTEM32\LPCYWINP.EXE
C:\WINDOWS\SYSTEM32\LPCYWINP.EXE

Spyware.Melkosoft (CoolWebSearch Variant)
C:\WINDOWS\SYSTEM32\E404D.DLL
C:\WINDOWS\SYSTEM32\E404D.DLL

Adware.AdSponsor/ISM
C:\PROGRAM FILES\QDRMODULE\QDRMODULE10.EXE
C:\PROGRAM FILES\QDRMODULE\QDRMODULE10.EXE
C:\PROGRAM FILES\QDRPACK\QDRPACK10.EXE
C:\PROGRAM FILES\QDRPACK\QDRPACK10.EXE
[QdrModule10] C:\PROGRAM FILES\QDRMODULE\QDRMODULE10.EXE
[QdrPack10] C:\PROGRAM FILES\QDRPACK\QDRPACK10.EXE
HKLM\Software\Classes\CLSID\{1BAC9A2A-4755-43c3-A430-D3512C5B8A4E}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}#AppID
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\Implemented Categories
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\Implemented Categories\{00021493-0000-0000-C000-000000000046}
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\InprocServer32
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\InprocServer32#ThreadingModel
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\ProgID
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\TypeLib
HKCR\CLSID\{1BAC9A2A-4755-43C3-A430-D3512C5B8A4E}\VersionIndependentProgID
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\{1BAC9A2A-4755-43c3-A430-D3512C5B8A4E}
HKU\S-1-5-21-1606980848-1659004503-839522115-1003\Software\antica
C:\Documents and Settings\Nigel Williams\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Nigel Williams\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Nigel Williams\Start Menu\Programs\Internet Speed Monitor

Trojan.Net-Winable
C:\PROGRAM FILES\WINABLE\WINABLE.EXE
C:\PROGRAM FILES\WINABLE\WINABLE.EXE
[WinAble] C:\PROGRAM FILES\WINABLE\WINABLE.EXE

Trojan.Downloader-WNSET/N-Variant
C:\DOCUME~1\NIGELW~1\LOCALS~1\TEMP\WINSTO.EXE
C:\DOCUME~1\NIGELW~1\LOCALS~1\TEMP\WINSTO.EXE
[Windows Rescue System] C:\DOCUME~1\NIGELW~1\LOCALS~1\TEMP\WINSTO.EXE
C:\DOCUMENTS AND SETTINGS\NIGEL WILLIAMS\LOCAL SETTINGS\TEMP\WINSTO.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3F9A8B17-D68E-4E5B-9732-A03C9DFF7F57}\RP73\A0036706.EXE
C:\WINDOWS\Prefetch\WINSTO.EXE-183303B8.pf

Unclassified.Unknown Origin
C:\PROGRAM FILES\QDRDRIVE\QDRDRIVE8.DLL
C:\PROGRAM FILES\QDRDRIVE\QDRDRIVE8.DLL
HKLM\Software\Classes\CLSID\{875A1348-7674-42aa-ADAC-B4F36A004A2D}
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}#AppID
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\InprocServer32
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\InprocServer32#ThreadingModel
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\ProgID
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\TypeLib
HKCR\CLSID\{875A1348-7674-42AA-ADAC-B4F36A004A2D}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{875A1348-7674-42aa-ADAC-B4F36A004A2D}
HKLM\Software\Microsoft\Windows\CurrentVersion\
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP