Trojan. Don't know what happened!

hi demonic_angel,

thanks for all the info. that was long but it all looks ok. those 04 entries, lets try hjt again. make sure ad aware ad watch isnt running. you can disable it like this:

1. Right click on the Ad-Watch icon in the system tray and select "Restore Ad-Watch".
2. At the bottom of the screen there will be two checkable items called "Active" and "Automatic".

Active: Switches Monitoring On or Off without closing
Automatic: Switches Automatic Blocking On or Off

3. Uncheck (red X) both items.
----------------------------------------
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

O4 - HKLM\..\Run: [AVPSrv] C:\WINDOWS\AVPSrv.exe
O4 - HKLM\..\Run: [mppds] C:\WINDOWS\mppds.exe
O4 - HKLM\..\Run: [cmdbcs] C:\WINDOWS\cmdbcs.exe
O4 - HKLM\..\Run: [msccrt] C:\WINDOWS\msccrt.exe
O4 - HKLM\..\Run: [upxdnd] C:\WINDOWS\upxdnd.exe
O4 - HKCU\..\Run: [8u3] C:\DOCUME~1\DARREL~1\LOCALS~1\Temp\c0nime.exe
-----------------------------------------
let try another online scan, this time at f-secure:

F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml

click on the "start scanning button"
after the ActiveX applet installs--Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.

Click the Show Report button and Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

shelf life
 
Scanning Report
Tuesday, May 29, 2007 08:40:41 - 15:28:37
Computer name: DARRELL
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 6 malware found
Backdoor.Win32.Agent.ahj (virus)
C:\WINDOWS\SYSTEM32\N1116660084K.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\N1116660201K.EXE (Renamed & Submitted)
Trojan-PSW.Win32.OnLineGames.te (virus)
C:\WINDOWS\SYSTEM32\K11166423988.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\K11166598938.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\K11797180108.EXE (Renamed & Submitted)
Virus.VBS.Confi (virus)
D:\SYSTEM VOLUME INFORMATION\_RESTORE{8879F6E1-FCF4-4F33-876A-185E7B8FEAC0}\RP174\A0031619.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 38627
System: 4470
Not scanned: 4
Actions:
Disinfected: 0
Renamed: 5
Deleted: 0
None: 1
Submitted: 6
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\CC299263C1FBC6E1DC2382B484BAA392_FF4796C2-F9E6-404D-80BE-655D3F0173C8

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-05-26
F-Secure AVP: 7.0.171, 2007-05-29
F-Secure Orion: 1.2.37, 2007-05-29
F-Secure Blacklight: 1.0.53
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Pegasus: 1.19.0, 2007-04-27
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Thanks again
 
I rebooted and ran HJT, because I just got home. When I logged into windows, Ad-watch said that there was an attempt to delete AVPrs.exe and
c0nime.exe. I clicked accept and rescanned with HJT:

Logfile of HijackThis v1.99.1
Scan saved at 5:50:34 PM, on 2007-05-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NMSSvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HI JACK!\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\Program Files\BitComet\tools\BitCometBHO_1.1.3.28.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AWMON] "C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [BitComet] "D:\Program Files\BitComet\BitComet.exe" /tray
O4 - HKCU\..\Run: [Veoh] "D:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - Global Startup: NOD32 Control Center.lnk = C:\Program Files\ESET\nod32kui.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

it SEEMS to be gone, but I'm not quite sure.

Thanks
 
hi demonic_angel,

should be ok now. i think it was real time protection and a non-reboot that was holding us up. i say you are good to go after making a new restore point. sometimes malware can get archived in the system restore points. easy to make a new one:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

careful what you get with bit comet. some p2p info:
http://security-central.us/SafeHex/file_sharing.htm

shelf life
 
Okay, but there's one thing. I just came back from school, and Nod32 detected something trying to attack svchost.exe. some trojan. keeps popping up, but I'm not sure if its gone.
 
Hi everything seems to be fine, except for the fact that I still have to select from a list when I open c or d drive. Other than that, nothing seems to be wrong with my computer now. Thanks!
 
hi demonic_angel,

try this: go to this website:

http://www.dougknox.com/xp/file_assoc.htm

find the "Drive association fix"

download it to desktop, its a zip file.

create a new folder on your desktop called "drive"

doubleclick the file you downloaded, extract it to the new folder you created (drive)
doubleclick the extracted file (.reg) select yes when prompted to merge into the regisrty

see if that fixes it.

shelf life
 
Hi,

I just tried that, and it didn't work. I found that if I right click and press open, it doesn't go to the list, only when I double click.

Thanks again
 
hi demonic_angel,

running out of ideas. try this-- go to start>run and type in:

regsvr32 /i shell32.dll

there is a space after the i

then enter, a msg box should popup saying it worked.
reboot computer once and see.

shelf life
 
hi demonic_angel,

Maybe the virus/trojan infected explorer or something?
Click to expand...
its possible. virus that copy themselves to .exe or .dlls can be removed but can leave behind a damaged file. iam not saying thats what happened in your case.


double click my computer-- at top go to tools>folder options>file types
see if you see a restore button to set everything back to default settings under the file types tab.

shelf life
 
You must log in or register to reply here.
Back
Top