Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

win32.Trojandownloader.zlob and malware.psguard [CLOSED]


  • This topic is locked This topic is locked

#1
gregorio.bl

gregorio.bl

    New Member

  • Member
  • Pip
  • 3 posts
Well..
I've done the drill with all those bloody programs..
But It's still there, every time I restart the pc it comes up again and changes my desktop background to some info about my pc being infected!
I just don't know what to do any more!
here's the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:09:24, on 2/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Greg.BIG-PC\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsof...ss/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Arquivos de programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] C:\Arquivos de programas\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Arquivos de programas\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O4 - HKLM\..\Run: [THGuard] "C:\Arquivos de programas\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1122847281953
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AA59880-8FDB-42DF-B2D4-C4BA89C9CC52}: NameServer = 201.10.120.3 201.10.1.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{4AA59880-8FDB-42DF-B2D4-C4BA89C9CC52}: NameServer = 201.10.120.3 201.10.1.2
O20 - Winlogon Notify: style2 - C:\WINDOWS\q2306109_disk.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Thanks for the future help. :tazz:
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Arquivos de programas\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\System32\intell32.exe
O20 - Winlogon Notify: style2 - C:\WINDOWS\q2306109_disk.dll (file missing)


Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Uninstall WildTangent from the Add/Remove panel if listed.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).

Give me this log also:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
gregorio.bl

gregorio.bl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Riiiiiight then..
thanks for the quick response..
All went well up to the panda active scan.
When I'm downloading the activeX files Avast! says theres a virus beeing downloaded and aborts my conection with it.
the virus is called:
win32:CTX

here are the logs:

---------------------------------------------------------
ewido security suite - Relatório de verificação
---------------------------------------------------------

+ Criado em:   21:53:26, 2/7/2005
+ Relatório-Checksum:  D5D99889

+ Resultado da verificação:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Limpo com backup
C:\Documents and Settings\Greg.BIG-PC\Cookies\greg@advertising[1].txt -> Spyware.Cookie.Advertising : Limpo com backup
C:\Documents and Settings\Greg.BIG-PC\Cookies\greg@atdmt[2].txt -> Spyware.Cookie.Atdmt : Limpo com backup
C:\Documents and Settings\Greg.BIG-PC\Cookies\greg@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Limpo com backup
C:\Documents and Settings\Greg.BIG-PC\Cookies\greg@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Limpo com backup
:mozilla.6:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Advertising : Limpo com backup
:mozilla.7:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Atdmt : Limpo com backup
:mozilla.10:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Adserver : Limpo com backup
:mozilla.11:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Adserver : Limpo com backup
:mozilla.12:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Fastclick : Limpo com backup
:mozilla.13:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Fastclick : Limpo com backup
:mozilla.14:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Adserver : Limpo com backup
:mozilla.17:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup
:mozilla.18:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup
:mozilla.19:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup
:mozilla.20:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup
:mozilla.21:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup
:mozilla.27:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Mediaplex : Limpo com backup
:mozilla.34:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Limpo com backup
:mozilla.39:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Hitbox : Limpo com backup
:mozilla.40:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Hitbox : Limpo com backup
:mozilla.41:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Hitbox : Limpo com backup
:mozilla.50:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Hitbox : Limpo com backup
:mozilla.59:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Doubleclick : Limpo com backup
:mozilla.60:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Spylog : Limpo com backup
:mozilla.81:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Falkag : Limpo com backup
:mozilla.82:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Falkag : Limpo com backup
:mozilla.83:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Falkag : Limpo com backup
:mozilla.84:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Falkag : Limpo com backup
:mozilla.101:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Revenue : Limpo com backup
:mozilla.102:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Burstnet : Limpo com backup
:mozilla.103:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Burstnet : Limpo com backup
:mozilla.104:C:\Documents and Settings\Greg.BIG-PC\Dados de aplicativos\Mozilla\Firefox\Profiles\zqw4gkwy.default\cookies.txt -> Spyware.Cookie.Trafic : Limpo com backup
:mozilla.29:D:\Greg.MEGA\Dados de aplicativos\Mozilla\Firefox\Profiles\i17vb3u9.default\cookies.txt -> Spyware.Cookie.Fastclick : Limpo com backup
:mozilla.49:D:\Greg.MEGA\Dados de aplicativos\Mozilla\Firefox\Profiles\i17vb3u9.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup
:mozilla.50:D:\Greg.MEGA\Dados de aplicativos\Mozilla\Firefox\Profiles\i17vb3u9.default\cookies.txt -> Spyware.Cookie.Pointroll : Limpo com backup


::Fim do Relatório


smitRem log file
     version 2.3

     by noahdfear


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


   Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! ;)


Tell me what now masters! :tazz:

thanks for the help


P.S.: My Evido is in my native language! "Limpo com backup" means cleaned with backup! :)

Edited by gregorio.bl, 02 August 2005 - 07:04 PM.

  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem, we can understand all languages :tazz:

For Panda, try getting this download and install it. Tell me if Panda works now.
  • 0

#5
gregorio.bl

gregorio.bl

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
It says 'active scan is starting...'
And nothing happens! :tazz:
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
OK, give me this log instead:

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

Also pos that l2mfix log I asked for.
  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP