Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Recently suffered a massive virus/spyware


  • Please log in to reply

#1
jessica84

jessica84

    Member

  • Member
  • PipPip
  • 37 posts
I was recently infected (and still could be) with something that caused my computer apon starting up to show no icons and no startup menu. All that was there was a wallpaper. A good friend of mine managed to get me back in and my files were saved but I still wonder if some bad files are kicking around.

For example there is this Spyware Sheriff that I know is harmfull but its still in my program files and I don't want to "uninstall" it for I know that clicking that will probably just reinfect me so how can I get rid of that. Also here is my hijack log to see if anything else is up.

Logfile of HijackThis v1.99.1
Scan saved at 12:14:24 PM, on 8/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

Edited by jessica84, 14 August 2005 - 08:59 PM.

  • 0

Advertisements


#2
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
*bump*

Need a reply, thanks :tazz:
  • 0

#3
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Are they just hidden files that when I did "see all" appeared or are they harmful because when I delete them, they don't go away and they are everywhere.
  • 0

#4
Scorpex

Scorpex

    Visiting Staff

  • Member
  • PipPipPip
  • 266 posts
Hi jessica84 Ė Welcome to Geeks To Go.

Looking at your log - I donít see an AntiVirus Program running. An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky.


Your HijackThis log is clean Ė However, I suggest you do the following to make sure SpySheriff is completely removed.


Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.


Place a shortcut to Panda ActiveScan on your desktop. Youíll use this later on

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let us know if any problems persist.


Scorpex
  • 0

#5
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:11:23 PM, 8/16/2005
+ Report-Checksum: EE5AD883

+ Scan result:

C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@e-2dj6wjl4alczclo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Program Files\iprn\otra.exe -> TrojanDownloader.PurityScan.w : Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDropper.VB.cd : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\WINDOWS\kl.exe -> Backdoor.Haxdoor.cn : Cleaned with backup
C:\WINDOWS\lxwvbov.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\ms1.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\ms2.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\WINDOWS\ms3.exe -> Backdoor.Small.gv : Cleaned with backup
C:\WINDOWS\svchost.exe -> TrojanDownloader.Small.bdz : Cleaned with backup
C:\WINDOWS\sys2253.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys2254.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys5231.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys5235.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys5236.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\sys5242.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system\Loader.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\WINDOWS\system\svchost.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchost.exe -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system\svchosthook.dll -> Backdoor.Agent.iw : Cleaned with backup
C:\WINDOWS\system32\abc.exe -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\WINDOWS\system32\abirvalg32.dll -> TrojanProxy.Small.cn : Cleaned with backup
C:\WINDOWS\system32\cssrs.exe -> TrojanSpy.PdPinch : Cleaned with backup
C:\WINDOWS\system32\cz.dll -> Backdoor.Haxdoor.cn : Cleaned with backup
C:\WINDOWS\system32\dmprc.exe -> Trojan.Small.fb : Cleaned with backup
C:\WINDOWS\system32\drct16.dll -> Backdoor.Haxdoor.cn : Cleaned with backup
C:\WINDOWS\system32\hz.sys -> Backdoor.Haxdoor : Cleaned with backup
C:\WINDOWS\system32\init32m.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\latest.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\maxd1.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\msnethlp32.dll -> TrojanProxy.Mitglieder.dq : Cleaned with backup
C:\WINDOWS\system32\msnethlp32.exe -> TrojanProxy.Mitglieder.dq : Cleaned with backup
C:\WINDOWS\system32\msudp4.sys -> TrojanSpy.Goldun.bf : Cleaned with backup
C:\WINDOWS\system32\mszx23.exe -> Backdoor.Haxdoor.cn : Cleaned with backup
C:\WINDOWS\system32\newdial.exe -> Trojan.Qhost.n : Cleaned with backup
C:\WINDOWS\system32\paydial.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\symcsvc.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\tibs.exe -> TrojanDownloader.Small.mx : Cleaned with backup
C:\WINDOWS\system32\vdmt16.sys -> Backdoor.Haxdoor : Cleaned with backup
C:\WINDOWS\system32\vxgame1.exe -> TrojanDropper.Small.acg : Cleaned with backup
C:\WINDOWS\system32\vxgame2.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\system32\vxgame3.exe -> TrojanDownloader.Agent.ho : Cleaned with backup
C:\WINDOWS\system32\vxgame4.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\system32\vxgamet2.exe -> Trojan.LowZones.y : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq1.exe -> TrojanDownloader.Small.bdz : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq2.exe -> Not-A-Virus.Hoax.Renos.l : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq5.exe -> TrojanDownloader.Small.awa : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq6.exe -> TrojanDownloader.Small.aux : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq7.exe -> TrojanDownloader.Small.atl : Cleaned with backup
C:\WINDOWS\system32\vxh8jkdq8.exe -> TrojanDownloader.Small.bdz : Cleaned with backup
C:\WINDOWS\system32\winacpi.dll -> TrojanProxy.Cimuz.z : Cleaned with backup
C:\WINDOWS\system32\winlow.sys -> Backdoor.Haxdoor.cg : Cleaned with backup
C:\WINDOWS\system32\wz.sys -> Backdoor.Haxdoor.cg : Cleaned with backup
C:\WINDOWS\system32\~update.exe -> Trojan.Crypt.i : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.l : Cleaned with backup
C:\WINDOWS\tool3.exe -> TrojanProxy.Mitglieder.dq : Cleaned with backup
C:\WINDOWS\vr_sys.dll -> TrojanSpy.LdPinch.os : Cleaned with backup
C:\winld32.dll -> TrojanDownloader.Small.anu : Cleaned with backup


::Report End

-----------------------------


smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/16/2005
The current time is: 16:26:37.18

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

winstall.exe
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:

---------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 5:15:37 PM, on 8/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\WINDOWS\SM1BG.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hispeed.rogers.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hispeed.rogers.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co....cab?10,0,910,0
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe

Note: Panda ActiveScan didn't work because I don't have ActiveX controls.
  • 0

#6
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Both the topic and topic description keep popping up (alot) in my virus protection program.
  • 0

#7
Scorpex

Scorpex

    Visiting Staff

  • Member
  • PipPipPip
  • 266 posts
Hi Jessica84,

Both the topic and topic description keep popping up (alot) in my virus protection program.Ē

Can you be more specific please - Which program are you using for Antivirus protection? Is there any way you can tell me what it is detecting?

You mentioned that you donít have Active X controls. But your HijackThis log shows that you have downloaded them in the past. Did you change your settings to not allow Active X controls?


Please do the following:

First, download HSFix from Here
After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Next, download Cleanup Here
Install the program, dont run it yet, we will later.


Reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"
A log will be produced which you can close out of.

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to log off - select No
  • Close CleanUp
Restart your computer into Normal Mode

Please go to the TrendMicro website HERE
  • Click Check my PC now
  • On the next page it will verify that Trendmicro scan can be run.
  • There should be 4 green checkmarks, if any of them stay a red X please let me know which one(s)
  • Read the agreement, the click continue with Next Step
  • Wait for the scanner to load, if you get a security warning about the Trend-Micro applet, click YES
  • It will install "Core-Packages", then please run the scan - let me know how many infected items it found and if any of them couldn't be cleaned and the name/location
Post the HSFix log which is located at C:/hslog.txt


Scorpex
  • 0

#8
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Crap.. I put what was coming up in the header and description.. I thought I was starting a new topic.. I'll have to wait for it to appear again.
  • 0

#9
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Okay this is one of them:


C:\SYSTEM VOLUME INFORMATION\_RESTORE{42D6ADFE-7C8E-4F9C-9D55-E4A053F4A775}\RP601\A0095720.EXE

Is the Trojan horse TR/Dldr.Dumador.A.1
  • 0

#10
Scorpex

Scorpex

    Visiting Staff

  • Member
  • PipPipPip
  • 266 posts
Hi jessica84,

That oneís telling you that a trojan is detected in one of your System Restore points. Thatís Ok to leave for the moment - weíll remove the corrupt system restore points and create a new clean one once we know your systemís clean. AV programs are unable to clean viruses/malware from System Restore Points.

Follow the instructions I last posted and please answer any other questions I asked. The results of your Ewido scan showed signs of Backdoor.Haxdoor and we must make sure that all the associated files are removed.

Scorpex
  • 0

Advertisements


#11
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Could not be deleted by Trendmicro: BKDR_MAXDOOR.BN


Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
klogini.dll
p2.ini
ps.a3d
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-
  • 0

#12
Scorpex

Scorpex

    Visiting Staff

  • Member
  • PipPipPip
  • 266 posts
Jessica84,

Letís clean your restore points and set a new one. Then run the scans below to see if all traces of Haxdoor are removed.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.


Please go to the TrendMicro website HERE
  • Click Check my PC now
  • On the next page it will verify that Trendmicro scan can be run.
  • There should be 4 green checkmarks, if any of them stay a red X please let me know which one(s)
  • Read the agreement, the click continue with Next Step
  • Wait for the scanner to load, if you get a security warning about the Trend-Micro applet, click YES
  • It will install "Core-Packages", then please run the scan - let me know how many infected items it found and if any of them couldn't be cleaned and the name/location

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Reboot in to Normal Mode - post the Ewido log and also let me know if Trendmicro found anything.

Scorpex
  • 0

#13
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
TrendMicro still finds: BKDR_HAXDOOR.BN

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:58:27 PM, 8/22/2005
+ Report-Checksum: 23CC3B32

+ Scan result:

C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@ehg-trader.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@servedby.advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Administrator.JESSICA-70EUVVW\Cookies\administrator@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\AVPersonal\INFECTED\A0095715.EXE.VIR -> Backdoor.Haxdoor.cn : Cleaned with backup


::Report End
  • 0

#14
Scorpex

Scorpex

    Visiting Staff

  • Member
  • PipPipPip
  • 266 posts
Hi Jessica84,

I noticed in your Ewido Scan that it detected a file that was quarantined in AntiVir. And by the looks of the filename, itís most likely a System Restore point. The only thing I donít know is if AntiVir detected the infected restore point before or after you deleted the old ones and created a new one.

Go in to AntiVir and delete the quarantined files (if your having any problems doing that, go in to Windows Explorer and delete C:\Program Files\AVPersonal\INFECTED\A0095715.EXE)
Then do a full system scan AntiVir and post any results.

Earlier you mentioned that you couldnít use Active X controls Ė Do you know why? Is your system set up that way or is this something that happened at one point. Without the Active X controls, we canít use some of the more popular online scans that might reveal the Haxdoor files/registry entries that are eluding us.


Scorpex

Edited by Scorpex, 24 August 2005 - 01:37 AM.

  • 0

#15
jessica84

jessica84

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
C:\Program Files\AVPersonal\INFECTED\A0095715.EXE

This file is not there.

And I have no idea what Active X is.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP