please help win32 trogan no luck so far

[gg allin]

hi im new here sorry if i'm not following protocol im not totally sure but i think i have the win32 trogan because im getting fake windows messages telling me to download a spyware program,pages seem to open automatically without clicking,i have nod32 antivirus and have just run the latest version of spybot search and destroy,and deleted all the red symbols i have a txt file i saved from it but its rather long,nod 32 cant detect whatever trogan i have neither can spybot,im sick of this popup coming up asking me to download ultimate defender can someone please help heres the results of the latest version of hijack this

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php...MjI6Ojg5&lid=2
O1 - Hosts: 213.239.215.227 cache9.winmxgroup.com
O1 - Hosts: 62.49.233.225 cache8.winmxgroup.com
O1 - Hosts: 82.38.219.252 cache7.winmxgroup.com
O1 - Hosts: 74.208.72.61 cache6.winmxgroup.com
O1 - Hosts: 203.173.20.140 cache5.winmxgroup.com
O1 - Hosts: 74.208.72.61 cache4.winmxgroup.com
O1 - Hosts: 213.239.215.227 cache3.winmxgroup.com
O1 - Hosts: 82.38.219.252 cache2.winmxgroup.com
O1 - Hosts: 203.173.20.140 cache1.winmxgroup.com
O1 - Hosts: 81.149.88.127 cache0.winmxgroup.com
O1 - Hosts: 213.239.215.227 cache19.winmxgroup.net
O1 - Hosts: 62.49.233.225 cache18.winmxgroup.net
O1 - Hosts: 82.38.219.252 cache17.winmxgroup.net
O1 - Hosts: 74.208.72.61 cache16.winmxgroup.net
O1 - Hosts: 203.173.20.140 cache15.winmxgroup.net
O1 - Hosts: 81.149.88.127 cache14.winmxgroup.net
O1 - Hosts: 213.239.215.227 cache13.winmxgroup.net
O1 - Hosts: 62.49.233.225 cache12.winmxgroup.net
O1 - Hosts: 82.38.219.252 cache11.winmxgroup.net
O1 - Hosts: 74.208.72.61 cache10.winmxgroup.net
O1 - Hosts: 203.173.20.140 cache9.winmxgroup.net
O1 - Hosts: 81.149.88.127 cache8.winmxgroup.net
O1 - Hosts: 213.239.215.227 cache7.winmxgroup.net
O1 - Hosts: 62.49.233.225 cache6.winmxgroup.net
O1 - Hosts: 82.38.219.252 cache5.winmxgroup.net
O1 - Hosts: 74.208.72.61 cache4.winmxgroup.net
O1 - Hosts: 203.173.20.140 cache3.winmxgroup.net
O1 - Hosts: 81.149.88.127 cache2.winmxgroup.net
O1 - Hosts: 213.239.215.227 cache1.winmxgroup.net
O1 - Hosts: 62.49.233.225 cache0.winmxgroup.net
O1 - Hosts: 82.38.219.252 test6.winmxgroup.net
O1 - Hosts: 74.208.72.61 test5.winmxgroup.net
O1 - Hosts: 203.173.20.140 test4.winmxgroup.net
O1 - Hosts: 81.149.88.127 test3.winmxgroup.net
O1 - Hosts: 213.239.215.227 test2.winmxgroup.net
O1 - Hosts: 62.49.233.225 test1.winmxgroup.net
O1 - Hosts: 82.38.219.252 test0.winmxgroup.net
O1 - Hosts: 81.149.88.127 winmx-com-v30.winmxgroup.com
O1 - Hosts: 81.149.88.127 winmx.com
O1 - Hosts: 81.149.88.127 winmx-com.winmxgroup.com
O1 - Hosts: 81.149.88.127 blocklist.winmxgroup.net
O1 - Hosts: 81.149.88.127 blocklist-master.winmxgroup.net
O1 - Hosts: 81.149.88.127 flooders.block-list.winmxgroup.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O21 - SSODL: sysdx - {42EAF0A0-CE8F-4B1F-823E-AF64EE7AE7D8} - C:\WINDOWS\sysdx.dll
O21 - SSODL: msvb - {44ADA429-076F-4AA6-A6C7-4ACFA35E4569} - C:\WINDOWS\msvb.dll
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

[gg allin]

i have a red and white x flashing at the bottom of my screen next to the internet connection icon

[gg allin]

can anyone help me please

[gg allin]

noone has replied but i installed sdfix with seemed to work for 5 hrs then all of a sudden the trojan came back again strangly when i was offline hes the log from sd fix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\User\Desktop\Error Cleaner.url - Deleted
C:\Documents and Settings\User\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\User\Desktop\Privacy Protector.url - Deleted
C:\Documents and Settings\User\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\User\Desktop\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\User\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\privacy_danger\index.htm - Deleted
C:\WINDOWS\privacy_danger\images\capt.gif - Deleted
C:\WINDOWS\privacy_danger\images\danger.jpg - Deleted
C:\WINDOWS\privacy_danger\images\down.gif - Deleted
C:\WINDOWS\privacy_danger\images\spacer.gif - Deleted


Folder C:\WINDOWS\privacy_danger - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"="C:\\Program Files\\BitTornado\\btdownloadgui.exe:*:Enabled:btdownloadgui"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="C:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Enabled:VLC media player"
"C:\\Program Files\\Media Player Classic\\mplayerc.exe"="C:\\Program Files\\Media Player Classic\\mplayerc.exe:*:Enabled:Media Player Classic"
"C:\\Program Files\\Xi\\NetXfer\\NetTransport.exe"="C:\\Program Files\\Xi\\NetXfer\\NetTransport.exe:*:Enabled:NetXfer Download Manager"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\Xi\\NetTransport 2\\NetTransport.exe"="C:\\Program Files\\Xi\\NetTransport 2\\NetTransport.exe:*:Enabled:Net Transport"
"E:\\New Folder\\[APPS] IP Hider (Hide your IP address).exe"="E:\\New Folder\\[APPS] IP Hider (Hide your IP address).exe:*:Enabled:[APPS] IP Hider (Hide your IP address)"
"C:\\Documents and Settings\\User\\Desktop\\[APPS] IP Hider (Hide your IP address).exe"="C:\\Documents and Settings\\User\\Desktop\\[APPS] IP Hider (Hide your IP address).exe:*:Enabled:[APPS] IP Hider (Hide your IP address)"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe"="C:\\Program Files\\Red Chair Software\\Anapod Explorer\\anamgr.exe:*:Enabled:Anapod Xtreamer"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"
"C:\\Program Files\\ICQ6\\ICQ.exe"="C:\\Program Files\\ICQ6\\ICQ.exe:*:Enabled:ICQ6"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Sun 22 Oct 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Fri 13 Jul 2007 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Fri 5 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BIT1.tmp"
Sun 22 Oct 2006 4,348 ...H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv1key.bak"
Sun 22 Oct 2006 20 A..H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv1lic.bak"
Sun 22 Oct 2006 312 ...H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv2key.bak"
Sun 22 Oct 2006 1,536 A..H. --- "C:\Documents and Settings\User\My Documents\My Music\License Backup\drmv2lic.bak"

Finished!

[gg allin]

by the way is it possible to put a trojan on a dvd i was burning a dvd when the trojan came back again

[pskelley]

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

The Waiting Room
http://forums.spybot.info/forumdisplay.php?f=37

You seem to have missed all of the instructions pinned to the top of the forum. If you still have problems, read those instructions and post the two logs requested.
Provide:
a) The HJT log. (post a complete HJT log this time)
b) The Kaspersky log report.

Thanks

[tashi]

This topic has been moved to archives.

If you need the thread re-opened, please send me a private message (pm) and provide a link.

Applies only to the original poster, anyone else with similar problems please start your own topic.