Please Help !!!!!

[nishikamae]

Scanner results for C:\WINDOWS\xlavra3.exe
Scan taken on 14 Oct 2007 15:17:10 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Downloader.Agent.TYK
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.eao
Fortinet Found W32/Agent.EAO!tr.dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.eao
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Scanner results for C:\WINDOWS\system32\lasse.exe
Scan taken on 14 Oct 2007 15:24:51 (GMT)
A-Squared Found nothing
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found IRC/BackDoor.SdBot3.TSJ
BitDefender Found BehavesLike:Win32.ExplorerHijack (probable variant)
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found SDBot.gen9
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Mal/Basine-C
VirusBuster Found nothing
VBA32 Found nothing


Scanner results for C:\WINDOWS\smcss.exe
Scan taken on 14 Oct 2007 15:29:25 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:VB-FEW
AVG Antivirus Found BackDoor.Generic8.HUS
BitDefender Found Backdoor.Agent.YWI
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Win32.HLLW.SpyBot
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found Win32/IRCBot.AAB
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Win32.HLLW.SpyBot


Scanner results for C:\WINDOWS\chkdsk32_.exe
Scan taken on 14 Oct 2007 15:32:20 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.VB.bai.2
ArcaVir Found nothing
Avast Found Win32:VB-FBZ
AVG Antivirus Found Downloader.Generic6.MKC
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Click.4037
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.VB.bai
Fortinet Found W32/VB.BAI!tr.dldr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.VB.bai
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found W32/DLoader.DTZZ
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.VB.bai



Scanner results for C:\Documents and Settings\user\dodolook020.exe
Scan taken on 14 Oct 2007 15:36:25 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Adware-gen.
AVG Antivirus Found nothing
BitDefender Found Trojan.Cinmeng.A, Generic.Adw.Cinmus.2.D099F095, Adware.Cinmus.F
ClamAV Found Trojan.Dropper-1805
CPsecure Found AdWare.W32.Cinmus.G
Dr.Web Found Adware.Cinmus
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found not-a-virus:AdWare.Win32.Cinmus.po (4, 1, 400), not-a-virus:AdWare.Win32.Cinmus.j (4, 1, 400)
Fortinet Found Adware/Cinmus
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.Cinmus.po, not-a-virus:AdWare.Win32.Cinmus.j
NOD32 Found a variant of Win32/Adware.Cinmus application
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.Cinmus.j


Thank You very Much

[Shaba]

Hi

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[nishikamae]

From ur reply i dont' understand much but i think u told me that i should fomat my com and reinstall a new window but i don't know what 2 do

[nishikamae]

i prefer 2 clean this cause right now i think format is the last option 2 choose thank you very much

[Shaba]

Hi

I mean by my previous reply that you have backdoors, rootkits and bots in your computer which all risk your privacy.

If you have used credit card and/or online bank via this computer I highly recommend to reformat (i can give you instructions for that).

Let me know your final decision

[nishikamae]

If i reformat this com my file or everything i strored will be delete right? so about the financial transection on this computer i will not do it

can u help me clean this computer thank you very much...

[Shaba]

Hi

"If i reformat this com my file or everything i strored will be delete right?"

Yes.

Then we continue this way:

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\xlavra3.exe
C:\WINDOWS\system32\lasse.exe
C:\WINDOWS\smcss.exe
C:\WINDOWS\chkdsk32_.exe
C:\Documents and Settings\user\dodolook020.exe

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

Let me know when you have done, we'll continue then

[nishikamae]

i have done it thank you

[Shaba]

Hi

Let's check this next:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

[nishikamae]

here is a report log file from sdfix

SDFix: Version 1.109

Run by user on Mon 10/15/2007 at 11:04 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\VBXTCT32.DLL - Deleted



Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"="C:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe:*:Enabled:McAfee Framework Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 25 Sep 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 7 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 23 Mar 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 7 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp"
Sun 2 Sep 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv04.tmp"
Sun 2 Sep 2007 2,391,944 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\40c2135ce9cffcf3bdfeed14e0704266\BITA8.tmp"
Mon 3 Sep 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a877011d990fb4875b54ce0706b47f90\BIT5.tmp"

Finished!