Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Search Search
Search for:
Tech Support Guy > > >

Trojan or Virus, Bloodhound.Packed, Backdoor.Mutny, Trojan.Startpage and Dloader-FC

(New)
(!)

Hellb0y's Avatar
Hellb0y Hellb0y is offline
Junior Member with 1 posts.
THREAD STARTER
 
Join Date: Mar 2005
Experience: Advanced
26-Mar-2005, 12:16 AM #1
Trojan or Virus, Bloodhound.Packed, Backdoor.Mutny, Trojan.Startpage and Dloader-FC
Hi Everyone,

Few days ago my dad opened an email which as you can see delivered all above viruses and trojans. Since then I have been going through the logs and system registery and cleaning all the trojans, I have used Symantec(norton), Ad-aware, Spybot, Xoftspy and few other spyware and adware removal tools, I have gone through step by step removing each and every files explained in Many websites, but the bloody thing keeps coming everytime I restart the pc. Oh yes, I have made a bootable cd and removed it from boot sector and memory as well but it didnt help! dont laugh but i was so pissed off, i was about to remove the motherboard battery! haha (joke)

Ok, Im not too experienced in pc like you all but i do ok, however, I need your help. First of all, the pc is 100 times slower! I get a red desktop with few internet links in it (ofcourse "warning you have spyware, click here to remove it"), I can not remove this desktop because everytime i go to remove it, the mouse wont click on any other desktop picture in display properties.

Every time i loginto windows (XP Pro SP2), I see about 20 weired .exe files loading in task manager. THey are all in system32 directory, i remove them, then they show up with a different name such as QLP.EXE, or KPE.EXE and ect.

THe most important effect is that I can not see the desktop files at all! I only have Recycle bin and on the desktop. I tried to search for the directories but they are not there, however, the search result shows them in C:\Desktop! hows that possible! there was not desktop in C:\! all the users are supposed to be in document and setting then username, then desktop. (What a virus!)

The other problem is everytime I put something on the desktop, it will double! yes, you read it right! same name, same extention! haha im going creazy here!

I have restarted the pc and used hijackthis to get a log for you. you can see a lot of stuff in host file, I have tried to remove them even in safe mode, it wont let me even after loging as admin.

I am about to format the bloody hard drive and lost all the files. Please give me an ulternative, please help.

Logfile of HijackThis v1.99.1
Scan saved at 2:10:04 PM, on 3/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PccGuide.exe
C:\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.3 www.greg-tut.com
O1 - Hosts: 127.0.0.3 nylonsexy.com
O1 - Hosts: 127.0.0.3 www.nylonsexy.com
O1 - Hosts: 127.0.0.3 vparivalka.com
O1 - Hosts: 127.0.0.3 www.vparivalka.comtoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 127.0.0.3 virgin-tgp.net
O1 - Hosts: 127.0.0.3 www.awmcash.biz
O1 - Hosts: 127.0.0.3 awmcash.biz
O1 - Hosts: 127.0.0.3 buldog-stats.com
O1 - Hosts: 127.0.0.3 www.buldog-stats.com
O1 - Hosts: 127.0.0.3 fregat.drocherway.com
O1 - Hosts: 127.0.0.3 slutmania.biz
O1 - Hosts: 127.0.0.3 www.slutmania.biz
O1 - Hosts: 127.0.0.3 toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.toolbarpartner.com
O1 - Hosts: 127.0.0.3 www.megapornix.com
O1 - Hosts: 127.0.0.3 megapornix.com
O1 - Hosts: 127.0.0.3 www.sp2****ed.biz
O1 - Hosts: 127.0.0.3 sp2****ed.biz
O1 - Hosts: 127.0.0.3 greg-tut.com
O1 - Hosts: http://213.159.117.133/dkprogs/hosts.txt
O2 - BHO: (no name) - {54F40038-0E17-478D-9EE4-176D39077899} - C:\WINDOWS\System32\igkm.dll (file missing)
O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Agt] C:\WINDOWS\Uef.exe
O4 - HKLM\..\Run: [Vas] C:\WINDOWS\System32\Nsd.exe
O4 - HKLM\..\Run: [Ttp] C:\WINDOWS\System32\Pdr.exe
O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Eeb.exe
O4 - HKLM\..\Run: [Lnl] C:\WINDOWS\Rsa.exe
O4 - HKLM\..\Run: [Umm] C:\WINDOWS\Pgd.exe
O4 - HKLM\..\Run: [Lbk] C:\WINDOWS\System32\Eqb.exe
O4 - HKLM\..\Run: [Vfe] C:\WINDOWS\System32\Ddv.exe
O4 - HKLM\..\Run: [Bee] C:\WINDOWS\Buu.exe
O4 - HKLM\..\Run: [Cds] C:\WINDOWS\Sko.exe
O4 - HKLM\..\Run: [Vno] C:\WINDOWS\System32\Dsd.exe
O4 - HKLM\..\Run: [Qai] C:\WINDOWS\System32\Nne.exe
O4 - HKLM\..\Run: [Qgl] C:\WINDOWS\System32\Ocn.exe
O4 - HKLM\..\Run: [Osm] C:\WINDOWS\Puh.exe
O4 - HKLM\..\Run: [Air] C:\WINDOWS\Qas.exe
O4 - HKLM\..\Run: [Mip] C:\WINDOWS\Gjc.exe
O4 - HKLM\..\Run: [Crn] C:\WINDOWS\Utl.exe
O4 - HKLM\..\Run: [Nsq] C:\WINDOWS\Qls.exe
O4 - HKLM\..\Run: [Gtt] C:\WINDOWS\Egg.exe
O4 - HKLM\..\Run: [Tai] C:\WINDOWS\Kvf.exe
O4 - HKLM\..\Run: [Mbq] C:\WINDOWS\Pdk.exe
O4 - HKLM\..\Run: [Jfi] C:\WINDOWS\Osv.exe
O4 - HKLM\..\Run: [Seq] C:\WINDOWS\Mjp.exe
O4 - HKLM\..\Run: [Lik] C:\WINDOWS\Ehh.exe
O4 - HKLM\..\Run: [Geb] C:\WINDOWS\Rbu.exe
O4 - HKLM\..\Run: [Fsd] C:\WINDOWS\System32\Ron.exe
O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Jsa] C:\WINDOWS\System32\Tnn.exe
O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
O4 - HKCU\..\Run: [Pib] C:\WINDOWS\Jdd.exe
O4 - HKCU\..\Run: [Vdg] C:\WINDOWS\System32\Olq.exe
O4 - HKCU\..\Run: [Mak] C:\WINDOWS\System32\Fkp.exe
O4 - HKCU\..\Run: [Baf] C:\WINDOWS\Jia.exe
O4 - HKCU\..\Run: [Gtg] C:\WINDOWS\System32\Qih.exe
O4 - HKCU\..\Run: [Kls] C:\WINDOWS\System32\Gka.exe
O4 - HKCU\..\Run: [Fls] C:\WINDOWS\Tfn.exe
O4 - HKCU\..\Run: [Cie] C:\WINDOWS\Ajk.exe
O4 - HKCU\..\Run: [Bjv] C:\WINDOWS\Vjb.exe
O4 - HKCU\..\Run: [Bte] C:\WINDOWS\Qho.exe
O4 - HKCU\..\Run: [Vtb] C:\WINDOWS\Ebr.exe
O4 - HKCU\..\Run: [Jap] C:\WINDOWS\Fvu.exe
O4 - HKCU\..\Run: [Btp] C:\WINDOWS\System32\Urr.exe
O4 - HKCU\..\Run: [Pkg] C:\WINDOWS\Aep.exe
O4 - HKCU\..\Run: [Npv] C:\WINDOWS\System32\Ibn.exe
O4 - HKCU\..\Run: [Agt] C:\WINDOWS\Uef.exe
O4 - HKCU\..\Run: [Vas] C:\WINDOWS\System32\Nsd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Ttp] C:\WINDOWS\System32\Pdr.exe
O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Eeb.exe
O4 - HKCU\..\Run: [Lnl] C:\WINDOWS\Rsa.exe
O4 - HKCU\..\Run: [Lbk] C:\WINDOWS\System32\Eqb.exe
O4 - HKCU\..\Run: [Vfe] C:\WINDOWS\System32\Ddv.exe
O4 - HKCU\..\Run: [Bee] C:\WINDOWS\Buu.exe
O4 - HKCU\..\Run: [Fsd] C:\WINDOWS\System32\Ron.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0656143a...p/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

ok thats it, I hope the info is enough. Norton tells me i got these viruses but it can not remove it even in safe mode. XoftSpy detects the Troj/Dloader-FC, says that it removed it but if i run it again, it detects the virus again.

I thank you in advance for your feedback.

Regards,

Kev
dvk01's Avatar
dvk01   (Derek) dvk01 is offline dvk01 is authorized to help remove malware.
Moderator & Malware Removal Specialist with 45,738 posts.
 
Join Date: Dec 2002
Location: Loughton, Essex, UK
27-Mar-2005, 05:10 PM #2
run Kapersky as described here
http://forums.subratam.org/index.php...c=3466&hl=bube

then download this attachment, to the desktop, rightclick it & rename it to fix.reg and double click it and say yes to the prompts to merge with the registry then post a new hjt log please

http://forums.techguy.org/attachment...chmentid=53089
__________________
Derek Microsoft MVP/Windows - Security | Thespykiller | How to protect yourself and other Security Advice
Find out all about the European Wild Hedgehog, what you can do to save it from extinction Hedgehog Rescue
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑