Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Home shopper and host trojan [CLOSED]

Started by NazguL , Aug 18 2005 02:01 PM

This topic is locked

#1
NazguL

Posted 18 August 2005 - 02:01 PM

Member

Member
10 posts

Hi, I,ve maintained my pc for a long time now but once again I seem to have spyware. Please could someone assist me...

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 8:00:54 PM, on 8/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sdkdq.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-za\msnappau.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Ultima Online 2D\autopilot\UOAutoPilot.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\slrundll.exe
C:\Program Files\Ultima Online 2D\No_Crypt_Client_2d.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\sdkbs.exe
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.co.za
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.co.za
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.co.za
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BE0AF818-3A53-6BB3-FBCD-A5E558A11457} - C:\WINDOWS\system32\crvs.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\System32\autorun.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-za\msnappau.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [iert.exe] C:\WINDOWS\iert.exe
O4 - HKLM\..\Run: [mszu32.exe] C:\WINDOWS\mszu32.exe
O4 - HKLM\..\Run: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKLM\..\Run: [sdkbs.exe] C:\WINDOWS\system32\sdkbs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115557274854
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{820FCC4E-669E-4B06-A332-EF241F5DDAE9}: NameServer = 196.25.1.11 196.43.1.11
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkdq.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

thanks :tazz:

#2
therock247uk

Posted 18 August 2005 - 02:05 PM

Expert

Expert
14,672 posts

Please download ewido security suite it is a trial version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

Open Ewido again

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Now close ewido security suite.

Reboot and Post the report Ewido made and a new Hijackthis log here in a reply.

#3
NazguL

Posted 21 August 2005 - 11:01 AM

Member

Topic Starter
Member
10 posts

Here is the HiJackThis report:

Logfile of HijackThis v1.99.1
Scan saved at 4:55:23 PM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\antispyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.co.za
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.co.za
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.co.za
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BE0AF818-3A53-6BB3-FBCD-A5E558A11457} - C:\WINDOWS\system32\crvs.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O4 - HKLM\..\Run: [Soltek] C:\WINDOWS\System32\autorun.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [iert.exe] C:\WINDOWS\iert.exe
O4 - HKLM\..\Run: [mszu32.exe] C:\WINDOWS\mszu32.exe
O4 - HKLM\..\Run: [atlsj.exe] C:\WINDOWS\atlsj.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115557274854
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkdq.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

and then here is the ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:54:27 PM, 8/21/2005
+ Report-Checksum: 30D4F16F

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{38D4D5D0-423E-4220-B6F9-30918C2AE4A4} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{09CA52B3-703C-4B17-9690-C13F736E3DCD} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8EA362BD-39CB-40F5-9226-73CD40999095} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{C5991634-0185-4B0D-B4F9-6C45597962B7} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D88DA98D-48BA-4116-96AB-77C38EAE487F} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\4D463624-B30F-409E-9FB9-3A3DB0\C80606F0-0A81-4E24-9D5B-4CEAA0 -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\69632 -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\addii32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addll.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\addqb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apijj.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appcj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appia32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appnr.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\appwq32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3bt32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3fe.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3hf32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fpf.INI:tgfks -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:wjssjs -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ieok.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\imsins.log:pclxld -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\jaaste.dll -> Trojan.Agent.fc : Cleaned with backup
C:\WINDOWS\javawa32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB823559.log:pxgcyc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB834707-IE6-20040929.115007.log:rrpzn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB835732.log:ixribm -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB887472.log:esuqhq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB888113.log:ctsjj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB891781.log:wsnvbt -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcht32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcib.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfczu32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msed32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msnm.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntha.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ocmsn.log:dphvit -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkjy.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:zbhewv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setupapi.log:ksavem -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupapi.log.0.old:sczjrx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32:yqaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\addwp32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apikn.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apipv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appcw.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appef32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appip.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appnm32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\appof32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apprm32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlej.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlhs.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlqt32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\crrm.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\guninst.exe -> Spyware.Serpo : Cleaned with backup
C:\WINDOWS\system32\ievi.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\ievy32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\javali.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\javare.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\javazc32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfcfe32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfckk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfctw32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfcwv.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\mfcyp32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\msyk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\netal32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netqq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netsg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\ntgb.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sdkoj.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\sysam.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winoj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winxs.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\thin-137-3-x-x.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\winco32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\wininit.ini:ktjik -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winug32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winul.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winyj32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:bvsbsn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_default.pif:gohfy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_default.pif:tvkgux -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_default.pif:vmvnc -> TrojanDownloader.Agent.bc : Cleaned with backup

::Report End

Thank you!

#4
therock247uk

Posted 21 August 2005 - 11:48 AM

Expert

Expert
14,672 posts

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sbtlo.dll/sp.html#10001
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {BE0AF818-3A53-6BB3-FBCD-A5E558A11457} - C:\WINDOWS\system32\crvs.dll (file missing)
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [iert.exe] C:\WINDOWS\iert.exe
O4 - HKLM\..\Run: [mszu32.exe] C:\WINDOWS\mszu32.exe
O4 - HKLM\..\Run: [atlsj.exe] C:\WINDOWS\atlsj.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\sdkdq.exe (file missing)

4. Delete the folders. (if present)

C:\Program Files\Common Files\tsa\

5. Delete the files. (if present)

C:\WINDOWS\system32\sbtlo.dll
C:\WINDOWS\system32\crvs.dll
C:\WINDOWS\iert.exe
C:\WINDOWS\mszu32.exe
C:\WINDOWS\atlsj.exe
C:\WINDOWS\system32\sdkdq.exe

6. Reboot and post a new Hijackthis log here in a reply.

Edited by therock247uk, 21 August 2005 - 11:49 AM.

#5
therock247uk

Posted 03 September 2005 - 06:30 AM

Expert

Expert
14,672 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.