HiJackThis Help? Possible trojan problem

lolwut?

lolwut?

CAGiversary!
Feedback
170 (100%)
I figured it couldn't hurt to ask on here before making a post on one of those "Fix It" forums and waiting for one of the experienced members to be free enough to help me.

Does anyone on here have good experience with HiJackThis logs and possible trojan or malware removal? I have no problem waiting for help on another forum, but my father uses this computer for a lot of his work and it would be really bad if a problem were to flare up again while he was trying to do some voicework.

Right now the computer seems to be stable, but not too long ago my computer was overrun by some of those fake virus scanners, as well as numerous random programs (Iolasdnfd.exe, something really wierd like that), and Windows actually shut itself down and I got a blue screen warning me of a possible threat.

I'm not quite sure where this could've come from, but any help would be greatly appreciated; I'll post my log below
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:51 AM, on 7/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\PRISMSVR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\PROGRAM FILES\Mozilla Firefox\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivaresys.com
O1 - Hosts: 94.232.248.66 www.antivaresys.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [AVScan] C:\Documents and Settings\user\Application Data\winav.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Explorer.lnk = C:\WINDOWS\explorer.exe
O4 - Global Startup: LynxONE TaskBar Icon.lnk = C:\Program Files\Lynx Studio Technology\Mixer.exe
O4 - Global Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1133284602734
O17 - HKLM\System\CCS\Services\Tcpip\..\{E38DC00F-FEE9-46C7-B79E-EEB922678D96}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 9193 bytes
 
Is there another kind of log or search I can run, because I'm sure there on there; I didn't do anything to remove them besides try to shut down the processes in the Task Manager
 
[quote name='lolwut?']Is there another kind of log or search I can run, because I'm sure there on there; I didn't do anything to remove them besides try to shut down the processes in the Task Manager[/QUOTE]

I don't see anything either from that log, clean.

in fact, if there were processes in TM, why didn't you post those???!!!?

I would run this:

http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

Should show you where those processes are coming from.

If you're getting popups, then run Spywareblaster and Spybot S&D

Just from the Log though, seems clean.

Could run the MS scanner too, just to catch all the standard ones... if it's spyware/rootkits
 
Ive run across infected websites with fake antivirus popups like that that made me think I had contracted a virus, but they didn't actually infect my computer.
 
Here's the results according to two log checkers I use, since they are automated they arent going to be 100% accurate all the time so beware.

First one says you should delete these almost always:
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivaresys.com
O1 - Hosts: 94.232.248.66 www.antivaresys.com
O4 - Global Startup: Explorer.lnk = C:\WINDOWS\explorer.exe


Second one says you should delete these almost always:
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

And delete these if you dont know what they are:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivaresys.com
O1 - Hosts: 94.232.248.66 www.antivaresys.com
 
[quote name='life.exe']Here's the results according to two log checkers I use, since they are automated they arent going to be 100% accurate all the time so beware.

First one says you should delete these almost always:
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivaresys.com
O1 - Hosts: 94.232.248.66 www.antivaresys.com
O4 - Global Startup: Explorer.lnk = C:\WINDOWS\explorer.exe


Second one says you should delete these almost always:
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

And delete these if you dont know what they are:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 94.232.248.66 browser-security.microsoft.com
O1 - Hosts: 94.232.248.66 antivaresys.com
O1 - Hosts: 94.232.248.66 www.antivaresys.com[/QUOTE]

... I fully support this post.

I don't know what I was looking at when I speed through that list. Too fast maybe.

But yes, do the above recommendations.
 
there is a nice little program called combofix

i had a bit of a problem at work and it cleaned it up pretty quick
download it and run it in safe mode.
it will restart the computer a few times then clean all the shit out of it.

if you cant find the program youself i can email it to ya, just shoot me a pm
 
[quote name='chimpian']there is a nice little program called combofix

i had a bit of a problem at work and it cleaned it up pretty quick
download it and run it in safe mode.
it will restart the computer a few times then clean all the shit out of it.

if you cant find the program youself i can email it to ya, just shoot me a pm[/QUOTE]

Combofix does indeed work miracles. The exe itself expires every week so in order to keep using it you have to keep downloading it.
 
Regardless of if the log looks clean, there is definitely something wrong with the PC.

It became especially bad this morning when I selected to fix the problems found by Malwarebytes Anti-Malware software. It said some of it couldn't be removed and would have to be removed after a restart. I chose to restart then, and that's when shit hit the fan.

The computer has had a problem since the last time I went through steps with someone to remove some trojans or something malicious; afterwards I would have to manually start explorer.exe, but it wasn't really a big deal.

Well today when I manually restarted it, Spybot S&D started an auto scan for some reason (it hasn't tried to do that since before I can remember), and I cancelled it. After that, when the explorer began to load, everything began to freeze. Looking in the Task Manager, the CPU Usage was always 100%.

I thought it might've been me trying to shut off the Spybot Search, so I restarted the PC and let it work itself all the way through, but it still froze after the search was done.

The only reason I'm able to use this now is because explorer.exe is not running, and I'm using Firefox by directly launching it through the Task Manager. The only way I can get the computer to run stable is by using Safe Mode. I did another Malwarebytes scan as well as an Avira AntiVir scan in safe mode, neither of which fixed the problem.

I really don't know what the fuck is going on with the computer. It hasn't done anything like this until today.

And I didn't post anything from the Task Manager because I had no control over the computer during that freakout, and Windows itself shut the computer down; I haven't seen a flareup like that since, and I'm not familiar with anything that popped up.

I may not be the best at dealing with trojans or malware, but I'm not stupid when it comes to computers; if I'd had time to write any of the .exes down or find out what they were, I would've.

I do have the saved Malwarebytes log and I'll post it, and I'll try to use my workaround to get Combofix and run it in Safe Mode; I'll see if that helps.
 
Here's the earliest log from this morning. I will also post the second from earlier today. I was reading through the second and while it says "No Action Taken", that was not my choice. I chose to have to program nuke everything it found, and it would always prompt me to restart.

Malwarebytes' Anti-Malware 1.39
Database version: 2438
Windows 5.1.2600 Service Pack 2

7/16/2009 3:45:20 PM
mbam-log-2009-07-16 (15-45-17).txt

Scan type: Full Scan (C:\|E:\|F:\|K:\|)
Objects scanned: 219929
Time elapsed: 38 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 45

Memory Processes Infected:
C:\Documents and Settings\user\Local Settings\Temp\b.exe (Trojan.Downloader) ->

No action taken.

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrlabbkxku.dll (Trojan.TDSS) -> No action

taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\install.exe (Trojan.Dropper) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image

File Execution Options\setup.exe (Trojan.Dropper) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent)

-> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\XP Deluxe Protector (Trojan.FakeAlert) -> No

action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac

(Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrlabbkxku.dll (Trojan.TDSS) -> No action

taken.
C:\Documents and Settings\user\Local Settings\Temp\b.exe (Trojan.Downloader) ->

No action taken.
c:\fjaiekpk.exe (Trojan.Agent) -> No action taken.
c:\vmlj.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\all users\application data\13165314\13165314.exe

(Rogue.SystemSecurity) -> No action taken.
c:\documents and settings\user\Desktop\clean-up stuff\Avenger\avenger.exe

(Trojan.Agent) -> No action taken.
c:\documents and settings\user\local settings\Temp\3522562006.exe

(Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\3525530756.exe

(Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\3615687006.exe

(Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\3693812006.exe

(Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\3832093256.exe

(Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\a.exe (Trojan.Dropper) -> No

action taken.
c:\documents and settings\user\local settings\Temp\db.exe (Trojan.Dropper) -> No

action taken.
c:\documents and settings\user\local settings\Temp\debug.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\install.48349.exe

(Trojan.Downloader) -> No action taken.
c:\documents and settings\user\local settings\Temp\install.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\kdt76ie5w4h5qaa46.exe

(Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\login.exe (Trojan.Dropper) -> No

action taken.
c:\documents and settings\user\local settings\Temp\mdm.exe (Trojan.Dropper) -> No

action taken.
c:\documents and settings\user\local settings\Temp\notepad.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\rasvsnet.tmp (Trojan.FakeAlert)

-> No action taken.
c:\documents and settings\user\local settings\Temp\services.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\setup.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\smss.exe (Trojan.Dropper) -> No

action taken.
c:\documents and settings\user\local settings\Temp\spoolsv.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\svchost.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\system.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\taskmgr.exe (Trojan.Dropper) ->

No action taken.
c:\documents and settings\user\local settings\Temp\xgl820cdxm.exe

(Rogue.AntiVirusBest) -> No action taken.
c:\documents and settings\user\local settings\Temp\zjhufhdfe.exe (Trojan.Ertfor)

-> No action taken.
c:\documents and settings\user\local settings\temporary internet

files\Content.IE5\44VD5K0I\install.48349[1].exe (Trojan.Downloader) -> No action

taken.
c:\documents and settings\user\local settings\temporary internet

files\Content.IE5\IKEVWFHE\dailybucks_install[1].exe (Rogue.SystemSecurity) ->

No action taken.
c:\WINDOWS\system32\diskcheck.exe (Rootkit.Agent) -> No action taken.
c:\WINDOWS\system32\gsf83iujid.dll (Trojan.Ertfor) -> No action taken.
c:\WINDOWS\system32\sopidkc.exe (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\drivers\smss.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> No action taken.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job

(Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\msxml71.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job

(Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> No action taken.
C:\uudoam.exe (Trojan.Dropper) -> No action taken.
 
Here's the second. I understand this probably isn't the best place to get help, so I'm going to post a thread on Bleeping Computer, and will just use my workaround for the time being.

Malwarebytes' Anti-Malware 1.39
Database version: 2438
Windows 5.1.2600 Service Pack 2

7/16/2009 7:52:28 PM
mbam-log-2009-07-16 (19-52-25).txt

Scan type: Full Scan (C:\|E:\|F:\|K:\|)
Objects scanned: 224268
Time elapsed: 37 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> No action taken.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> No action taken.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> No action taken.

Files Infected:
c:\documents and settings\user\protect.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\user\local settings\Temp\f.exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\user\local settings\Temp\msb.dll (Trojan.Agent) -> No action taken.
c:\documents and settings\user\start menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\autochk.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> No action taken.
c:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\Documents and Settings\user\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\user\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.
 
Here's a set of instructions for manually removing the ertfor trojan.

http://www.pcthreat.com/parasitebyid-7904en.html

I don't know if you have multiple viruses or those others are just parts or clones of each other. I've never had that one myself. If malwarebytes isn't doing the trick, I'd try a few other anti-virus programs and see if they can clean it up. Have you tried AVG?

And also if you're using Sbybot, don't install the teatimer add-on. That thing is a system hog that doesn't really do any good.
 
You must log in or register to reply here.
bread's done
Back
Top