PDA

View Full Version : win32.vb.pw, hupigon13, win32.delf.uv,win32.agent.tdd


vost42
2009-07-31, 01:34
Hello,

Well this ain't good. After running SpybotS&D multiple times I keep getting the following coming back:

win32.vb.pw
hupigon13
win32.delf.uv
win32.agent.tdd

I have created a registry backup.

Any help would be well appreciated.

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:34 AM, on 31/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drtesm.exe
C:\WINDOWS\system32\dtesm.exe
C:\WINDOWS\system32\ertesm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\krtesm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mrtesm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\trtesm.exe
C:\WINDOWS\system32\yasnp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 60.173.10.4 www.qv0d996.cn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [updater] C:\WINDOWS\system32\updater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [ming9bstart] C:\WINDOWS\system\ming9b090423.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O20 - AppInit_DLLs: 3hc3s7r2.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: drtesm - Unknown owner - C:\WINDOWS\system32\drtesm.exe
O23 - Service: dtesm - Unknown owner - C:\WINDOWS\system32\dtesm.exe
O23 - Service: ertesm - Unknown owner - C:\WINDOWS\system32\ertesm.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: krtesm - Unknown owner - C:\WINDOWS\system32\krtesm.exe
O23 - Service: mrtesm - Unknown owner - C:\WINDOWS\system32\mrtesm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: trtesm - Unknown owner - C:\WINDOWS\system32\trtesm.exe
O23 - Service: yasnp - Unknown owner - C:\WINDOWS\system32\yasnp.exe

--
End of file - 6780 bytes
Shaba
2009-08-01, 11:04
Hi vost42

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drtesm.exe
C:\WINDOWS\system32\yasnp.exe

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
vost42
2009-08-04, 02:05
C:\WINDOWS\system32\drtesm.exe
[ArcaVir]
2009-08-03 Found nothing
[G DATA]
2009-08-04 Trojan.Crypt.CY
[A-Squared]
2009-08-04 Trojan-Downloader.Win32.Apher!IK
[Ikarus]
2009-08-03 Trojan-Downloader.Win32.Apher
[Avast! antivirus]
2009-08-03 Found nothing
[Kaspersky Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gma
[Grisoft AVG Anti-Virus]
2009-08-03 Dropper.Rozena
[ESET NOD32]
2009-08-03 Win32/Agent.NOV
[Avira AntiVir]
2009-08-03 TR/Downloader.Gen
[Norman Virus Control]
2009-08-03 W32/Agent.OXNZ
[Softwin BitDefender]
2009-08-03 Trojan.Crypt.CY
[Panda Antivirus]
2009-08-03 Found nothing
[ClamAV]
2009-08-03 Found nothing
[Quick Heal]
2009-08-03 TrojanDownloader.Apher.gmd
[CPsecure]
2009-08-03 Found nothing
[Sophos]
2009-08-04 Mal/Generic-A
[Dr.Web]
2009-08-04 Trojan.DownLoad.42319
[VirusBlokAda VBA32]
2009-08-02 Trojan.Win32.Inject.2
[Frisk F-Prot Antivirus]
2009-08-03 W32/QQhelper.C.gen!Eldorado
[VirusBuster]
2009-08-03 Found nothing
[F-Secure Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gma


C:\WINDOWS\system32\yasnp.exe
[ArcaVir]
2009-08-03 Downloader.Apher.Gki
[G DATA]
2009-08-04 Gen:Trojan.Heur.PT.bmW@aafQLBf
[A-Squared]
2009-08-04 Trojan-Downloader.Win32.Apher!IK
[Ikarus]
2009-08-03 Trojan-Downloader.Win32.Apher
[Avast! antivirus]
2009-08-03 Win32:Trojan-gen {Other}
[Kaspersky Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gki
[Grisoft AVG Anti-Virus]
2009-08-03 Downloader.Rozena
[ESET NOD32]
2009-08-03 Win32/Agent.NOV
[Avira AntiVir]
2009-08-03 TR/Crypt.ZPACK.Gen
[Norman Virus Control]
2009-08-03 Found nothing
[Softwin BitDefender]
2009-08-03 Gen:Trojan.Heur.PT.bmW@aafQLBf
[Panda Antivirus]
2009-08-03 Trj/Downloader.MDW
[ClamAV]
2009-08-03 Found nothing
[Quick Heal]
2009-08-03 TrojanDownloader.Apher.gki
[CPsecure]
2009-08-03 Troj.GameThief.W32.Agent.bs
[Sophos]
2009-08-04 Mal/Generic-A
[Dr.Web]
2009-08-04 DDoS.Attack.238
[VirusBlokAda VBA32]
2009-08-02 Trojan.Win32.Inject.2
[Frisk F-Prot Antivirus]
2009-08-03 W32/QQhelper.C.gen!Eldorado
[VirusBuster]
2009-08-03 Found nothing
[F-Secure Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gki
Shaba
2009-08-04, 06:02
Yes those are bad.

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/ww.homepage) - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

After that, please post back a fresh HijackThis log.
Shaba
2009-08-11, 07:47
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.