Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan Downloaders, and Adware and Cookies Oh My!

Started by photoguy_Dave , Nov 19 2006 02:59 AM

  • Please log in to reply

#1
photoguy_Dave
Posted 19 November 2006 - 02:59 AM

photoguy_Dave

    New Member

  • Member
  • Pip
  • 3 posts
:whistling: I am rather Tech Savey but this is out of my experience everything I have tried has failed

Logfile of HijackThis v1.99.1
Scan saved at 12:50:24 AM, on 11/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Windows Defender\MsMpEng.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RUNDLL32.EXE
E:\WINDOWS\RTHDCPL.EXE
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\WINDOWS\ATKKBService.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
E:\Program Files\Windows Defender\MSASCui.exe
E:\WINDOWS\Duce6.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\WINDOWS\ms038393925147.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\ctfmon.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\DOCUME~1\JJD00C~1.JJ-\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - E:\WINDOWS\system32\nsd5.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - E:\WINDOWS\system32\WinNB58.dll (file missing)
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - E:\Program Files\webHancer\programs\whiehlpr.dll (file missing)
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL (file missing)
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - E:\WINDOWS\system32\adrotate.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - E:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [xxdde4b4] RUNDLL32.EXE w200d0c3.dll,n 005de4af00000002200d0c3
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ExploreUpdSched] E:\WINDOWS\system32\twinnpem.exe ELT001
O4 - HKLM\..\Run: [AnyDVD] E:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TheMonitor] E:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [ms038393925147] E:\WINDOWS\ms038393925147.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Think-Adz.lnk = E:\WINDOWS\system32\twinnpem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - E:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe


Also I ran System Analyzer from Webroot (CompUSA Tech Tool) and I have this:

Trojans - (1)

trojan-downloader-afy

Adware - (9)

ezula ilookup
elitemediagroup-mediamotor
zenosearchassistant
enbrowser
maxifiles
mirar webband
webhancer
elitemediagroup-pop64
targetsaver

Adware Cookies - (52)

webtrends cookie
sextracker cookie
advertising cookie
fastclick cookie
addynamix cookie
tradedoubler cookie
netster cookie
tribalfusion cookie
realmedia cookie
atlas dmt cookie
bluestreak cookie
bravenet cookie
qksrv cookie
fortunecity cookie
questionmarket cookie
adknowledge cookie
burstnet cookie
server.iad.liveperson cookie
valuead cookie
webtrendslive cookie
targetnet cookie
trafficmp cookie
falkag cookie
pointroll cookie
pricegrabber cookie
zedo cookie
2o7.net cookie
dealtime cookie
casalemedia cookie
ru4 cookie
revenue.net cookie
findwhat cookie
stopzilla cookie
statcounter cookie
adrevolver cookie
seeq cookie
adultfriendfinder cookie
7search cookie
enhance cookie
yadro cookie
mygeek cookie
reliablestats cookie
infospace cookie
apmebf cookie
websponsors cookie
burstbeacon cookie
yieldmanager cookie
adjuggler cookie
directtrack cookie
clickbank cookie
mediaplex cookie
tacoda cookie
  • 0

Advertisements

#2
waterfalls
Posted 19 November 2006 - 04:12 AM

waterfalls

    In Memoriam

  • Retired Staff
  • 94 posts
Hi,

Your system is very infected. Please follow the directions in the order stated. You will need to print these instructions because you will eventually need to close all browsers.

• Download Brute Force Uninstaller.
- Unzip it to a folder of its own (C:\BFU).
- Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
- Start the Brute Force Uninstaller by doubleclicking BFU.exe
- Next to the 'Scriptfile to execute'-window you'll see a small, blue icon: http://users.telenet...ges/bfuicon.gif
- When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
- In the field, copy and paste this URL: http://metallica.geekstogo.com/alcanshorty.bfu
- Click Ok.
- Then click 'Execute".

Note: If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, manually download the script by going to: http://metallica.gee...alcanshorty.bfu
- Click File, select 'Save As' and save it in your C:\BFU folder
- Then start BFU.exe again and click the icon of a folder next to the 'Scriptfile to execute'
- Navigate to alconshorty.bfu script you downloaded, select it by clicking onto it
- Click OK and then click 'Execute' in the Brute Force Uninstaller.

*Wait for the complete script execution box to popup and press OK.
*Press exit to terminate the BFU program.


• Close ALL BROWSERS and keep it closed throughout the entire removal process.
- Go to Start > Control Panel > Add/Remove Programs
- Select DeluxeCommunications
- Click Remove

If it is not listed, then:
- Go to Start > Run > copy/paste: C:\Program Files\DeluxeCommunications\Dxc.exe /u
- Click OK

Whichever way worked, you will get a prompt to enter a security code. Enter the security code and click OK.
- The uninstall process will then tell you that all browser windows will be closed if you continue. Press the Yes button to continue uninstalling DeluxeCommunications.
- Finally, when it asks if you would to reboot, press the Yes button so that your computer reboots.

• Then right-click onto FixDXC.reg, select "Save As" or "Save Link As" and save it on your Desktop.
- Double-click on the file
- When it asks if you would like to add the information into the Registry, click on the Yes button and then on the OK button at next prompt
- Search for the following files. If they exist, they will be in the C:\Documents and Settings\\Application Data folder. When you find these files, delete them.
Dxcknwrd.dll
Dxccwrd.dll

• Reboot your computer.

• Post back with a new HijackThis log.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP