TechSpot

Abebot and trojandownloader.xs problem

By -r00sta-
Apr 2, 2008
  1. Hello,

    I like many other people managed to infect my system with some nasty spyware detailed below are the ones causing problems:

    1)

    " Security System Protection Control Panel " TrojanDownloader.XS.

    It is a White and Blue window that says 'Security system Waring"

    2)
    A red box mentioning something like:

    Alert Details
    File: C:\WINDOWS\wml.exe

    Threat:Abebot

    3)

    System Integrity Scan Wizard
    Warning: Your computer may have critical errors in Windows registry and file system!

    and 4)

    Yellow Triangle with exclamation mark in the bottom right corner where the clock is located. Its constantly prompting me there is spyware infecting my system and is directing me to a website to download some spyware remover.

    If some could please help me fix this problem i would greatly appreciate it.

    I am running on Windows XP

    thanks,
    Scott
     
  2. kritius

    kritius TS Guru Posts: 2,084

    The first thing that I need you to do for me is to download and install HijackThis for me,

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in its own folder, usually C:\Program Files\Trend Micro\HijackThis. Please don't change the directory as it is necessary to create backups.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete attach the log into your reply.
    Do not attempt to fix any item yet.
    Do not add anything to the ignore list.
    Don't use the AnalyseThis button, its findings are dangerous if misinterpreted.

    Hijackthis will give me an idea as to what nasty things there are lurking about in your system and will help the both of us get rid of them.

    If you have any problems or questions then please post back.

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally attach the Report.txt back on the forum

    Please download VundoFix.exe to your desktop.
    • Double-click VundoFix.exe to run it.
    • Click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will reboot your computer, click OK.
    • Please attach the contents of C:\vundofix.txt
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Please Download VirtumundoBeGone by secured2k
    • Save the file to your desktop
    • Close all running programs (including your Internet Browser)
    • Double-click VirtumundoBeGone.exe on the desktop
    • Read the introductory information, and then click Continue
    • Click Start
    • When asked if you want to continue, click Yes to run the fix
    • Click "Save Log"

    Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.

    The log created by VirtumundoBeGone called VBG.TXT will be on located on your desktop. Please retain VBG.TXT.

    Empty Recycle Bin.

    Reboot and attach the VBG.TXT into this thread.
    Also please describe how your computer behaves at the moment.

    Please download SmitfraudFix (by S!Ri)

    Double-click SmitfraudFix.exe.
    Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
    Please attach that report into your next reply.

    **If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

    Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consulting/proc...processutil.htm

    Run a fresh HijackThis scan after completing these steps.
     
  3. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    I am not sure what is going on, but when i try to install these programmes, i get a message saying "This application has failed to start beacause MSVBVM60.DLL was not found." i think this file may have been deleted in another virus scan or sumthing
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Malwarebytes' Anti-Malware

    • Please download Malwarebytes' Anti-Malware to your desktop.
    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to
      • Update Malwarebytes' Anti-Malware
      • and Launch Malwarebytes' Anti-Malware
    • then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. please copy and paste the log into your next reply
      • If you accidently close it, the log file is saved here and will be named like this:
      • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    Attach these logs back here along with a new Hijackthis log after following the above
     
  5. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:27:50 p.m., on 3/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\Program Files\Windows Defender\MsMpEng.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    E:\Program Files\Symantec AntiVirus\DefWatch.exe
    E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    E:\WINDOWS\System32\nvsvc32.exe
    E:\WINDOWS\system32\PnkBstrA.exe
    E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    E:\Program Files\Spyware Terminator\sp_rsser.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Symantec AntiVirus\Rtvscan.exe
    E:\WINDOWS\Explorer.EXE
    E:\WINDOWS\system32\ctfmon.exe
    E:\Documents and Settings\All Users\Application Data\balqhqra\hibchkpm.exe
    E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    E:\WINDOWS\system32\rundll32.exe
    E:\Program Files\Windows Defender\MSASCui.exe
    E:\Program Files\iTunes\iTunesHelper.exe
    E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\PROGRA~1\SYMANT~1\VPTray.exe
    E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    E:\Program Files\Messenger\MSMSGS.EXE
    E:\WINDOWS\system32\fkbyrmru.exe
    E:\Program Files\iPod\bin\iPodService.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - E:\Program Files\PC-Antispyware\IeExtension.dll (file missing)
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
    O2 - BHO: IE to GetRight Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - E:\Program Files\GetRight\xx2gr.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - E:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: GNX Bingo - {D5F536B7-2822-4736-87D3-414DF1BF1E8C} - E:\WINDOWS\svpekgonrlo.dll
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
    O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroCheck] E:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [Windows Defender] "E:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [Ad-Watch] E:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
    O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [PC-Antispyware] "E:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
    O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [iqscnczi] E:\WINDOWS\system32\fkbyrmru.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [PC-Cleaner.install] "E:\DOCUME~1\PC\LOCALS~1\Temp\281ee3e0.exe" continue
    O4 - HKLM\..\Policies\Explorer\Run: [pAQhHpAQhH] E:\Documents and Settings\All Users\Application Data\balqhqra\hibchkpm.exe
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "E:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "E:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O8 - Extra context menu item: Download with GetRight - E:\Program Files\GetRight\GRdownload.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with GetRight Browser - E:\Program Files\GetRight\GRbrowse.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - E:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
     
  6. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    rest of log file Hijackthis

    E:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: E:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by121fd.bay121.hotmail.msn.com/resources/MsnPUpld.cab
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
    O21 - SSODL: sxfnewqb - {01ACF96D-CDF9-4CB0-BF06-C80FBA7A7BDE} - E:\WINDOWS\sxfnewqb.dll
    O21 - SSODL: RunOnceService - {7d877e23-de61-4e2c-a431-e9acf158fc91} - E:\WINDOWS\Installer\{7d877e23-de61-4e2c-a431-e9acf158fc91}\RunOnceService.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - E:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - E:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - E:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - E:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - E:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 10309 bytes
     
  7. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    SDFix: Version 1.165

    Run by PC on Thu 03/04/2008 at 06:35 p.m.

    Microsoft Windows XP [Version 5.1.2600]
    Running From: E:\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File
    Restoring Default HomePage Value
    Restoring Default Desktop Components Value

    Rebooting


    Checking Files :

    Trojan Files Found:

    E:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
    E:\WINDOWS\svpekgonrlo.dll - Deleted
    E:\WINDOWS\dwltqnmx.exe - Deleted
    E:\WINDOWS\iTunesMusic.exe - Deleted
    E:\WINDOWS\sxfnewqb.dll - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-03 18:38:56
    Windows 5.1.2600 Service Pack 2 FAT NTAPI

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0


    Remaining Services :



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "F:\\Program Files\\Ares\\Ares.exe"="F:\\Program Files\\Ares\\Ares.exe:*:Enabled:Ares p2p for windows"
    "E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"="E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe:*:Enabled:Windows Live Messenger 8.1"
    "E:\\Program Files\\MSN Messenger\\livecall.exe"="E:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
    "F:\\Program Files\\BitComet\\BitComet.exe"="F:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "E:\\mIRC\\mirc.exe"="E:\\mIRC\\mirc.exe:*:Enabled:mIRC"
    "E:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"="E:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe:*:Enabled:Ad-Aware 2007"
    "E:\\Program Files\\DAP\\DAP.exe"="E:\\Program Files\\DAP\\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)"
    "F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"="F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
    "F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"="F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe:*:Enabled:Blizzard Downloader"
    "F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe"="F:\\GAmes\\World Of Warcraft\\World of Warcraft\\WoW-2.1.1.6739-to-2.1.2.6803-enUS-downloader.exe:*:Enabled:Blizzard Downloader"
    "E:\\Program Files\\FrostWire\\FrostWire.exe"="E:\\Program Files\\FrostWire\\FrostWire.exe:*:Enabled:LimeWire"
    "E:\\Program Files\\LimeWire\\LimeWire.exe"="E:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
    "E:\\Program Files\\iTunes\\iTunes.exe"="E:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
    "F:\\GAmes\\TrackMania Nations ESWC\\TmNationsESWC.exe"="F:\\GAmes\\TrackMania Nations ESWC\\TmNationsESWC.exe:*:Enabled:TmNationsESWC"
    "F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike source\\hl2.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike source\\hl2.exe:*:Enabled:hl2"
    "E:\\Program Files\\VideoLAN\\VLC\\vlc.exe"="E:\\Program Files\\VideoLAN\\VLC\\vlc.exe:*:Disabled:VLC media player"
    "F:\\GAmes\\Steam\\steamapps\\mis_nik\\source sdk base\\hl2.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\source sdk base\\hl2.exe:*:Enabled:hl2"
    "F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike\\hl.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\counter-strike\\hl.exe:*:Enabled:Half-Life Launcher"
    "F:\\GAmes\\ET.exe"="F:\\GAmes\\ET.exe:*:Enabled:ET"
    "F:\\GAmes\\EA GAMES\\Battlefield 2\\BF2.exe"="F:\\GAmes\\EA GAMES\\Battlefield 2\\BF2.exe:*:Enabled:BF2"
    "F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942.exe"="F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942.exe:*:Enabled:BF1942"
    "F:\\GAmes\\Alien Arena\\Alien Arena 2007\\crx.exe"="F:\\GAmes\\Alien Arena\\Alien Arena 2007\\crx.exe:*:Enabled:crx"
    "F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942_w32ded.exe"="F:\\GAmes\\EA GAMES\\Battlefield 1942\\BF1942_w32ded.exe:*:Enabled:BF1942_w32ded"
    "E:\\Program Files\\America's Army\\System\\ArmyOps.exe"="E:\\Program Files\\America's Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
    "F:\\GAmes\\Wolfenstein enemy territory\\ET.exe"="F:\\GAmes\\Wolfenstein enemy territory\\ET.exe:*:Enabled:ET"
    "E:\\Program Files\\uTorrent\\uTorrent.exe"="E:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
    "F:\\GAmes\\Steam\\steamapps\\mis_nik\\half-life 2 deathmatch\\hl2.exe"="F:\\GAmes\\Steam\\steamapps\\mis_nik\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
    "E:\\Program Files\\FlashGet\\flashget.exe"="E:\\Program Files\\FlashGet\\flashget.exe:*:Enabled:Flashget"
    "E:\\Program Files\\Azureus\\Azureus.exe"="E:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
    "F:\\GAmes\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe"="F:\\GAmes\\EA GAMES\\Battlefield 2\\bf2_w32ded.exe:*:Enabled:bf2_w32ded"
    "E:\\Program Files\\GameSpy Arcade\\Aphex.exe"="E:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
    "F:\\GAmes\\Americas Army\\System\\ArmyOps.exe"="F:\\GAmes\\Americas Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe"="E:\\Program Files\\MSN Messenger\\MsnMsgr.Exe:*:Enabled:Windows Live Messenger 8.1"
    "E:\\Program Files\\MSN Messenger\\livecall.exe"="E:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    Remaining Files :


    File Backups: - E:\SDFix\backups\backups.zip

    Files with Hidden Attributes :

    Thu 1 Feb 2007 61,440 A..H. --- E:\PROGRA~1\SUPERA~1\SASCTXMN.DLL
    Mon 28 Jan 2008 1,404,240 A.SHR --- E:\PROGRA~1\SPYBOT~1\SDUPDATE.EXE
    Mon 28 Jan 2008 5,146,448 A.SHR --- E:\PROGRA~1\SPYBOT~1\SPYBOTSD.EXE
    Mon 28 Jan 2008 2,097,488 A.SHR --- E:\PROGRA~1\SPYBOT~1\TEATIMER.EXE
    Mon 31 Mar 2008 1,024 A..H. --- E:\SYSTEM~1\_RESTO~1\RP212\A0028556.SYS
    Mon 31 Mar 2008 1,024 A..H. --- E:\SYSTEM~1\_RESTO~1\RP213\A0028894.SYS
    Mon 28 Jan 2008 0 A..H. --- E:\WINDOWS\SOFTWA~1\DOWNLOAD\F7DB87~1\BIT1.TMP
    Thu 15 Mar 2007 0 A.SH. --- E:\DOCUME~1\ALLUSE~1\DRM\CACHE\INDIV01.TMP

    Finished!
     
  8. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    [04/03/2008, 21:21:57] - VirtumundoBeGone v1.5 ( "E:\Documents and Settings\PC\Desktop\VirtumundoBeGone.exe" )
    [04/03/2008, 21:22:03] - Detected System Information:
    [04/03/2008, 21:22:03] - Windows Version: 5.1.2600, Service Pack 2
    [04/03/2008, 21:22:03] - Current Username: PC (Admin)
    [04/03/2008, 21:22:03] - Windows is in NORMAL mode.
    [04/03/2008, 21:22:03] - Searching for Browser Helper Objects:
    [04/03/2008, 21:22:03] - BHO 1: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
    [04/03/2008, 21:22:03] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [04/03/2008, 21:22:03] - BHO 3: {10F0C2A9-8E38-43e3-204D-45524C494E20} (PC-Antispyware Site Blocker Button)
    [04/03/2008, 21:22:03] - BHO 4: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} ()
    [04/03/2008, 21:22:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [04/03/2008, 21:22:03] - Checking for HKLM\...\Winlogon\Notify\ctbr
    [04/03/2008, 21:22:03] - Key not found: HKLM\...\Winlogon\Notify\ctbr, continuing.
    [04/03/2008, 21:22:03] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (IE to GetRight Helper)
    [04/03/2008, 21:22:03] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [04/03/2008, 21:22:03] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [04/03/2008, 21:22:03] - BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [04/03/2008, 21:22:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [04/03/2008, 21:22:03] - No filename found. Continuing.
    [04/03/2008, 21:22:03] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [04/03/2008, 21:22:03] - BHO 10: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
    [04/03/2008, 21:22:03] - Finished Searching Browser Helper Objects
    [04/03/2008, 21:22:03] - Finishing up...
    [04/03/2008, 21:22:03] - Nothing found! Exiting...

    [04/03/2008, 21:23:00] - VirtumundoBeGone v1.5 ( "E:\Documents and Settings\PC\Desktop\VirtumundoBeGone.exe" )
    [04/03/2008, 21:23:01] - Detected System Information:
    [04/03/2008, 21:23:01] - Windows Version: 5.1.2600, Service Pack 2
    [04/03/2008, 21:23:01] - Current Username: PC (Admin)
    [04/03/2008, 21:23:01] - Windows is in NORMAL mode.
    [04/03/2008, 21:23:01] - Searching for Browser Helper Objects:
    [04/03/2008, 21:23:01] - BHO 1: {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} (Ask Search Assistant BHO)
    [04/03/2008, 21:23:01] - BHO 2: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
    [04/03/2008, 21:23:01] - BHO 3: {10F0C2A9-8E38-43e3-204D-45524C494E20} (PC-Antispyware Site Blocker Button)
    [04/03/2008, 21:23:01] - BHO 4: {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} ()
    [04/03/2008, 21:23:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [04/03/2008, 21:23:01] - Checking for HKLM\...\Winlogon\Notify\ctbr
    [04/03/2008, 21:23:01] - Key not found: HKLM\...\Winlogon\Notify\ctbr, continuing.
    [04/03/2008, 21:23:01] - BHO 5: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} (IE to GetRight Helper)
    [04/03/2008, 21:23:01] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
    [04/03/2008, 21:23:01] - BHO 7: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
    [04/03/2008, 21:23:01] - BHO 8: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
    [04/03/2008, 21:23:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
    [04/03/2008, 21:23:02] - No filename found. Continuing.
    [04/03/2008, 21:23:02] - BHO 9: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
    [04/03/2008, 21:23:02] - BHO 10: {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} (Ask Toolbar BHO)
    [04/03/2008, 21:23:02] - Finished Searching Browser Helper Objects
    [04/03/2008, 21:23:02] - Finishing up...
    [04/03/2008, 21:23:02] - Nothing found! Exiting...
     
  9. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    SmitFraudFix v2.309

    Scan done at 21:26:43.28, Thu 03/04/2008
    Run from E:\Documents and Settings\PC\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is FAT32
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\Program Files\Windows Defender\MsMpEng.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    E:\Program Files\Symantec AntiVirus\DefWatch.exe
    E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    E:\WINDOWS\System32\nvsvc32.exe
    E:\WINDOWS\system32\PnkBstrA.exe
    E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    E:\Program Files\Spyware Terminator\sp_rsser.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Symantec AntiVirus\Rtvscan.exe
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    E:\Program Files\Windows Defender\MSASCui.exe
    E:\WINDOWS\system32\rundll32.exe
    E:\Program Files\iTunes\iTunesHelper.exe
    E:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    E:\PROGRA~1\SYMANT~1\VPTray.exe
    E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    E:\WINDOWS\system32\ctfmon.exe
    E:\Program Files\Messenger\MSMSGS.EXE
    E:\WINDOWS\system32\fkbyrmru.exe
    E:\Program Files\iPod\bin\iPodService.exe
    E:\Program Files\Internet Explorer\iexplore.exe
    E:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    E:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts


    »»»»»»»»»»»»»»»»»»»»»»»» E:\


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\PC


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\PC\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\PC\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» IEDFix
    !!!Attention, following keys are not inevitably infected!!!

    IEDFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» VACFix
    !!!Attention, following keys are not inevitably infected!!!

    VACFix
    Credits: Malware Analysis & Diagnostic
    Code: S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "Userinit"="E:\\WINDOWS\\system32\\userinit.exe,"
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Atheros AR5005G Wireless Network Adapter #3 - Packet Scheduler Miniport
    DNS Server Search Order: 10.1.1.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{7E8B83C7-46E3-4AD7-9487-EDBBFAD414A5}: DhcpNameServer=10.1.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{7E8B83C7-46E3-4AD7-9487-EDBBFAD414A5}: DhcpNameServer=10.1.1.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{7E8B83C7-46E3-4AD7-9487-EDBBFAD414A5}: DhcpNameServer=10.1.1.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.1.1.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End
     
  10. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    what r my next steps?
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You still haven't followed my last steps yet. And can you please post your logs as attachments.

    1)MBAM log
    2)Combofix log

    *to attach click the icon that looks like a paperclip. or if using quick replies select Go Advanced, then click the paperclip icon
     
  12. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    k will do that now
     
  13. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    k these r the rest of the logs u asked for
     

    Attached Files:

  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    With MBAM
    Be sure that everything is checked, and click Remove Selected.


    CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
     
  15. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    Ok here we go
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, good work. Still a little ways to go.

    Delete a Service
    • Click Start | Run and type regedit in the Open: line. Click OK.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Scroll down the left pane, locate Spyware Terminator Realtime Shield Service (sp_rssrv), right click it and select Delete.
    • Do the same for PC Tools Security Service (sdCoreService)
    • Reboot the system (into safe mode instructions below)


    You might want to copy and paste these instructions into a notepad file and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

    At reboot don't let it boot normally:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run Hijackthis and Select Do A System Scan Only
    Put a check mark next to the following entries:
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - E:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL (file missing)
    O2 - BHO: (no name) - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
    O2 - BHO: PC-Antispyware Site Blocker Button - {10F0C2A9-8E38-43e3-204D-45524C494E20} - E:\Program Files\PC-Antispyware\IeExtension.dll (file missing)
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {D5F536B7-2822-4736-87D3-414DF1BF1E8C} - (no file)
    O2 - BHO: (no name) - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - (no file)
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - E:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (file missing)
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
    O4 - HKLM\..\Run: [PC-Antispyware] "E:\Program Files\PC-Antispyware\PC-Antispyware.exe" hide
    O4 - HKLM\..\Run: [SpywareTerminator] "E:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKCU\..\Run: [iqscnczi] E:\WINDOWS\system32\fkbyrmru.exe
    O4 - HKCU\..\Run: [PC-Cleaner.install] "E:\DOCUME~1\PC\LOCALS~1\Temp\281ee3e0.exe" continue
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - E:\PROGRA~1\Crawler\Toolbar\ctbr.dll (file missing)
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsAuxs.exe (file missing)
    O23 - Service: PC Tools Security Service (sdCoreService) - Unknown owner - E:\Program Files\Spyware Doctor\pctsSvc.exe (file missing)

    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - E:\Program Files\Spyware Terminator\sp_rsser.exe


    Select Fix Checked

    Close Hijackthis

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options.
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

    Use Windows Explorer to navigate to and delete the following files:

    Files:
    C:\WINDOWS\system32\fkbyrmru.exe <-This file only

    Folders:
    C:\Program Files\Spyware Terminator <-This folder only
    C:\Program Files\PC-Antispyware <-This folder only
    C:\Program Files\Crawler <-This folder only
    C:\Program Files\AskSBar <-This folder only

    Restart your computer into normal mode

    Run a new scan with Hijackthis and attach the log
     
  17. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    ok. here it is. some of the files u asked me to delete such as
    C:\WINDOWS\system32\fkbyrmru.exe
    C:\Program Files\Crawler
    C:\Program Files\AskSBar
    were already deleted before u told me to
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Your logs are looking good. Were you able to do this?


    Delete a Service
    • Click Start | Run and type regedit in the Open: line. Click OK.
    • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • Scroll down the left pane, locate PC Tools Auxiliary Service (sdAuxService), right click it and select Delete.
    • Reboot the system (into safe mode instructions below)


    Please check to make sure.

    Download and Run ATF Cleaner
    Download ATF Cleaner by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it.

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache

    *The other boxes are optional*
    Then click the Empty Selected button.

    Firefox or Opera:
    Click Firefox or Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.



    Run Kaspersky Online AV Scanner

    Order to use it you have to use Internet Explorer.
    Go to Kaspersky and click the Accept button at the end of the page.

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
    • Read the Requirements and limitations before you click Accept.
    • Allow the ActiveX download if necessary.
    • Once the database has downloaded, click Next.
    • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
    • Click on "My Computer"
    • When the scan has completed, click Save Report As...
    • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
    • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
    Attach the report into your next reply
     
  19. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    ok. done that. here it is
     

    Attached Files:

  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Looks good,

    The only thing picked up by Kaspersky was a false positive and quarantine files

    First of all delete everything in Symantec Quarantine
    -----------------------------------------------------------------------------------------------------

    Uninstall Combofix
    * Click START then RUN
    * Now type Combofix /u in the runbox
    * Make sure there's a space between Combofix and /u
    * Then hit Enter.

    * The above procedure will:
    * Delete the following:
    * ComboFix and its associated files and folders.
    * Reset the clock settings.
    * Hide file extensions, if required.
    * Hide System/Hidden files, if required.
    * Set a new, clean Restore Point.

    -----------------------------------------------------------------------
    Cleanup using OTMoveit2 by OldTimer
    Now we can clear out the rest of the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally.

    Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop.

    1. Double click OTMoveIt2.exe to launch it.
    If using Vista Right-Click OTMoveIt and choose Run As Administrator
    2. Click on the CleanUp! button.
    3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
    4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)

    * When finished exit out of OTMoveIt2

    ---------------------------------------------------------------------------
    I recommend you keep
    1 anti virus program
    1 firewall
    Combo of Anti-Spyware (Spybot S&D and MBAM, or your choice)

    For Spybot you can download the latest version from HERE.

    keep them updated.

    You can also turn on tea timer in Spybot:
    • Click on Mode at the top and make sure that Advanced is checked
    • Expand the Tools tab in the left pane
    • Single click on the Resident Icon also in the left pane
    • check Resident "TeaTimer" (Protection of over-all system settings) Active
    • Close spybot

    Also under Tools you can double-click System Startup in the right pane and disable programs from running at startup. This will free up system resources. For example if you don't use MSN Messenger everytime you run your computer you can disable it, then when you want to use it you can launch it through Start -> all programs, or make a shortcut on the desktop for it. That way it doesn't use resources when you aren't using it. Don't disable any entries in green though.

    And just to be sure
    Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK

    clear system restore points

    • This is a good time to clear your existing system restore points and establish a new clean restore point:
      • Go to Start > All Programs > Accessories > System Tools > System Restore
      • Select Create a restore point, and Ok it.
      • Next, go to Start > Run and type in cleanmgr
      • Select the More options tab
      • Choose the option to clean up system restore and OK it.
      This will remove all restore points except the new one you just created.
     
  21. -r00sta-

    -r00sta- TS Rookie Topic Starter Posts: 18

    ok awesome. just did those steps. is there anything else?
     
  22. jack1962

    jack1962 TS Rookie

    I really need help with Trojan virus

    I have the Trojandownload virus alond with the Abebot, need help please.
     
  23. jack1962

    jack1962 TS Rookie

    Hello

    I too need help to get rid of that nasty old trojandownload.xs and abobot virus, help please.
     
  24. kritius

    kritius TS Guru Posts: 2,084

    Start your own thread and dont try to hijack someone elses.
     
  25. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    R00sta,

    Should you have any more problems please let me know through this thread. Otherwise your logs look clean

    Regards,

    Blind dragon
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...