win32.vb.pw, hupigon13, win32.delf.uv,win32.agent.tdd

vost42

New member
Hello,

Well this ain't good. After running SpybotS&D multiple times I keep getting the following coming back:

win32.vb.pw
hupigon13
win32.delf.uv
win32.agent.tdd

I have created a registry backup.

Any help would be well appreciated.

Here is the Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:34 AM, on 31/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drtesm.exe
C:\WINDOWS\system32\dtesm.exe
C:\WINDOWS\system32\ertesm.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\krtesm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mrtesm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\trtesm.exe
C:\WINDOWS\system32\yasnp.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 60.173.10.4 www.qv0d996.cn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [updater] C:\WINDOWS\system32\updater.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Policies\Explorer\Run: [ming9bstart] C:\WINDOWS\system\ming9b090423.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
O20 - AppInit_DLLs: 3hc3s7r2.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: drtesm - Unknown owner - C:\WINDOWS\system32\drtesm.exe
O23 - Service: dtesm - Unknown owner - C:\WINDOWS\system32\dtesm.exe
O23 - Service: ertesm - Unknown owner - C:\WINDOWS\system32\ertesm.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: krtesm - Unknown owner - C:\WINDOWS\system32\krtesm.exe
O23 - Service: mrtesm - Unknown owner - C:\WINDOWS\system32\mrtesm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: trtesm - Unknown owner - C:\WINDOWS\system32\trtesm.exe
O23 - Service: yasnp - Unknown owner - C:\WINDOWS\system32\yasnp.exe

--
End of file - 6780 bytes
 
Hi vost42

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\drtesm.exe
C:\WINDOWS\system32\yasnp.exe


Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
C:\WINDOWS\system32\drtesm.exe
[ArcaVir]
2009-08-03 Found nothing
[G DATA]
2009-08-04 Trojan.Crypt.CY
[A-Squared]
2009-08-04 Trojan-Downloader.Win32.Apher!IK
[Ikarus]
2009-08-03 Trojan-Downloader.Win32.Apher
[Avast! antivirus]
2009-08-03 Found nothing
[Kaspersky Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gma
[Grisoft AVG Anti-Virus]
2009-08-03 Dropper.Rozena
[ESET NOD32]
2009-08-03 Win32/Agent.NOV
[Avira AntiVir]
2009-08-03 TR/Downloader.Gen
[Norman Virus Control]
2009-08-03 W32/Agent.OXNZ
[Softwin BitDefender]
2009-08-03 Trojan.Crypt.CY
[Panda Antivirus]
2009-08-03 Found nothing
[ClamAV]
2009-08-03 Found nothing
[Quick Heal]
2009-08-03 TrojanDownloader.Apher.gmd
[CPsecure]
2009-08-03 Found nothing
[Sophos]
2009-08-04 Mal/Generic-A
[Dr.Web]
2009-08-04 Trojan.DownLoad.42319
[VirusBlokAda VBA32]
2009-08-02 Trojan.Win32.Inject.2
[Frisk F-Prot Antivirus]
2009-08-03 W32/QQhelper.C.gen!Eldorado
[VirusBuster]
2009-08-03 Found nothing
[F-Secure Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gma


C:\WINDOWS\system32\yasnp.exe
[ArcaVir]
2009-08-03 Downloader.Apher.Gki
[G DATA]
2009-08-04 Gen:Trojan.Heur.PT.bmW@aafQLBf
[A-Squared]
2009-08-04 Trojan-Downloader.Win32.Apher!IK
[Ikarus]
2009-08-03 Trojan-Downloader.Win32.Apher
[Avast! antivirus]
2009-08-03 Win32:Trojan-gen {Other}
[Kaspersky Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gki
[Grisoft AVG Anti-Virus]
2009-08-03 Downloader.Rozena
[ESET NOD32]
2009-08-03 Win32/Agent.NOV
[Avira AntiVir]
2009-08-03 TR/Crypt.ZPACK.Gen
[Norman Virus Control]
2009-08-03 Found nothing
[Softwin BitDefender]
2009-08-03 Gen:Trojan.Heur.PT.bmW@aafQLBf
[Panda Antivirus]
2009-08-03 Trj/Downloader.MDW
[ClamAV]
2009-08-03 Found nothing
[Quick Heal]
2009-08-03 TrojanDownloader.Apher.gki
[CPsecure]
2009-08-03 Troj.GameThief.W32.Agent.bs
[Sophos]
2009-08-04 Mal/Generic-A
[Dr.Web]
2009-08-04 DDoS.Attack.238
[VirusBlokAda VBA32]
2009-08-02 Trojan.Win32.Inject.2
[Frisk F-Prot Antivirus]
2009-08-03 W32/QQhelper.C.gen!Eldorado
[VirusBuster]
2009-08-03 Found nothing
[F-Secure Anti-Virus]
2009-08-03 Trojan-Downloader.Win32.Apher.gki
 
Yes those are bad.

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

After that, please post back a fresh HijackThis log.
 
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.
 
Back
Top