Live Chat & Podcast at 1:00PM Eastern on Sunday!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post How did you find PC CLEANER PRO on my c ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Missing Photos/Black Desktop/Phantom Use ...
Go to first new post Network, good; Internet, bad
Go to first new post Need Help
Go to first new post Odd Processes/SCODEF-CREDAT/possible vir ...
Go to first new post Google Hijacker/Google Search Result vir ...
Go to first new post server not found
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Ramnit virus, nearly cleared
Go to first new post Windows live Messenger Virus
Go to first new post We Got System Checked :-(
Go to first new post This setup thing keeps popping up everyd ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory modem monitor motherboard mouse network printer problem ram registry repair router slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Virus infection Trojan (New)

Page 2 of 2 1 2
Reply  
Thread Tools
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
05-May-2007, 06:30 AM #16
GMER Rootkit

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-05-05 10:29:10
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ F0, 81, AD, A5, 80, E4, AD, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] kernel32.dll!MultiByteToWideChar 7C809CAD 5 Bytes JMP 10031B00 C:\WINDOWS\system32\ljhig.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\asus1\ExpoTol\art\belkin.doc:KAVICHS
ADS C:\asus1\ExpoTol\art\Oformlenie_zayavki-konkurs.rtf:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS C:\asus1\ExpoTol\art\:KAVICHS
ADS ...
ADS D:\System Volume Information\_restore{17DAC3F2-BCAE-41B2-8F12-97A5A236D8C7}\RP103\A0037564.exe:KAVICHS
ADS D:\System Volume Information\_restore{17DAC3F2-BCAE-41B2-8F12-97A5A236D8C7}\RP103\A0037565.EXE:KAVICHS
ADS D:\System Volume Information\_restore{17DAC3F2-BCAE-41B2-8F12-97A5A236D8C7}\RP103\A0037566.exe:KAVICHS

---- EOF - GMER 1.0.12 ----
Register for free to hide this ad!
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
05-May-2007, 06:31 AM #17
GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-05-05 10:30:45
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljhig@DLLName = C:\WINDOWS\system32\ljhig.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey Poller@ = %SystemRoot%\system32\Ati2evxx.exe
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Spooler /**/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Power_GearC:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 /*file not found*/ = C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 /*file not found*/
@ZoneAlarm Client"C:\Program Files\ZoneAlarm\zlclient.exe" = "C:\Program Files\ZoneAlarm\zlclient.exe"
@THGuard"C:\Program Files\TrojanHunter 4.6\THGuard.exe" = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
@{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/ = C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /**/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /**/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /**/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{D9872D13-7651-4471-9EEE-F0A00218BEBB} /*Multiscan*/C:\Program Files\ZoneAlarm\zlavscan.dll = C:\Program Files\ZoneAlarm\zlavscan.dll
@{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} /*TrojanHunter Menu Shell Extension*/C:\PROGRA~1\TROJAN~1.6\contmenu.dll = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Adobe.Acrobat.ContextMenu@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
TrojanHunter@{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
ZLAVShExt@{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\ZoneAlarm\zlavscan.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG Anti-Spyware@{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
ICQLiteMenu@{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
TrojanHunter@{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
FineReader@{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F} = c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll
TrojanHunter@{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
ZLAVShExt@{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\ZoneAlarm\zlavscan.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{897C56B4-B147-4D8A-9B3D-95DE58E59017}C:\WINDOWS\system32\ljhig.dll = C:\WINDOWS\system32\ljhig.dll
@{9961627E-4059-41B4-8E0E-A7D6B3854ADF}C:\PROGRA~1\DOWNLO~1\dmiehlp.dll /*file not found*/ = C:\PROGRA~1\DOWNLO~1\dmiehlp.dll /*file not found*/
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar1.dll = c:\program files\google\googletoolbar1.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
@{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/ = C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/
@{D446E04E-E9E2-4CEB-AB9B-498B6501BDB7}C:\WINDOWS\system32\fcyyw.dll /*file not found*/ = C:\WINDOWS\system32\fcyyw.dll /*file not found*/
@{D651AFF4-9590-424d-BD1E-8E33E090DFB3}C:\WINDOWS\system32\lmibswco.dll /*file not found*/ = C:\WINDOWS\system32\lmibswco.dll /*file not found*/

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir...r=6&ar=msnhome
@Start Pageabout:blank = about:blank
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll
wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A5DCE5 5-1192-4AD6-B089-2350DFE47B65} /**/ >>>
@IPAddress192.168.16.5 = 192.168.16.5
@NameServer =
@DefaultGateway =
@Domain =

---- EOF - GMER 1.0.12 ----
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
05-May-2007, 06:37 AM #18
Catchme ended saying
0 hidden processes
0 hidden services
0 hidden files
Am I clean? HJT still had xwopsepe.dll
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
05-May-2007, 06:38 AM #19
no, am not clean, AVG shield alert for trojan virus
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,282 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
05-May-2007, 01:17 PM #20
Hi, cometal

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xwopsepe.dll",realset

Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

Close Hijackthis.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Quote:
Files to delete:
C:\WINDOWS\system32\xwopsepe.dll
C:\WINDOWS\system32\ljhig.dll

Registry values to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks | {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}

Registry keys to delete:
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{897C56B4-B147-4D8A-9B3D-95DE58E59017}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9961627E-4059-41B4-8E0E-A7D6B3854ADF}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D446E04E-E9E2-4CEB-AB9B-498B6501BDB7}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log .

In addition, Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  1. Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    1. In the Processes group click All
    2. In the Win32 Services group click Non-Microsoft
    3. In the Driver Services group click Non-Microsoft
    4. In the Registry group click Non-Microsoft
    5. In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    6. In the Files Modified Within group select 30 days Make sure Non-Microsoft only is CHECKED
    7. In the File String Search group select Non-Microsoft
  2. Now click the Run Scan button on the toolbar.
  3. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
  4. When the scan is complete Notepad will open with the report file loaded in it.
  5. Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
09-May-2007, 07:49 AM #21
still Trojan infected?
here it is
thanks
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
09-May-2007, 07:56 AM #22
here is .log
hi
here is .log

looking forward!!
thanks
Attachment Blocked
Attachments in the HJT forum are often designed to solve a specific issue and not meant to be used without instructions specific to your computer. If you want help specific to your computer, please post a HiJackThis Log. If you started this thread, please make sure you are logged in to be able to view attachments.
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,282 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
09-May-2007, 11:50 AM #23
Hi, cometal

Start WinPFind3U. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


Code:
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YN -> (FIJLOYWUR) FIJLOYWUR [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\admin\LOCALS~1\Temp\FIJLOYWUR.exe
YN -> (QWG) QWG [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\admin\LOCALS~1\Temp\QWG.exe
[Driver Services - Non-Microsoft Only]
YY -> (oreans32) oreans32 [Kernel | System | Running] -> %System32%\drivers\oreans32.sys
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> ljhig -> %System32%\ljhig.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {1A9087A4-FC5D-48DE-BA3E-E8DB817BB4C1} [HKLM] -> Reg Data - Value does not exist [Reg Data - Value does not exist]
YN -> {1D4FC33E-B5D3-4D04-A6F6-00F15972CCCD} [HKLM] -> %System32%\ljhig.dll [Reg Data - Value does not exist]
[Files/Folders - Created Within 60 days]
NY -> CopyFiles.bat -> %SystemDrive%\CopyFiles.bat
NY -> aygesbot.dll -> %System32%\aygesbot.dll
NY -> ayjxmfvp.ini -> %System32%\ayjxmfvp.ini
NY -> epespowx.ini -> %System32%\epespowx.ini
NY -> gihjl.bak1 -> %System32%\gihjl.bak1
NY -> gihjl.bak2 -> %System32%\gihjl.bak2
NY -> gihjl.ini -> %System32%\gihjl.ini
NY -> kgxqnhqq.dll -> %System32%\kgxqnhqq.dll
NY -> pvfmxjya.dll -> %System32%\pvfmxjya.dll
NY -> qqhnqxgk.ini -> %System32%\qqhnqxgk.ini
NY -> tobsegya.ini -> %System32%\tobsegya.ini
NY -> wlhrkuax.ini -> %System32%\wlhrkuax.ini
NY -> wyycf.ini -> %System32%\wyycf.ini
NY -> tmvsthfss.bin -> %System32%\drivers\etc\tmvsthfss.bin
NY -> tmvsthfud.bin -> %System32%\drivers\etc\tmvsthfud.bin
[Files/Folders - Modified Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> aygesbot.dll -> %System32%\aygesbot.dll
NY -> ayjxmfvp.ini -> %System32%\ayjxmfvp.ini
NY -> epespowx.ini -> %System32%\epespowx.ini
NY -> gihjl.bak1 -> %System32%\gihjl.bak1
NY -> gihjl.bak2 -> %System32%\gihjl.bak2
NY -> gihjl.ini -> %System32%\gihjl.ini
NY -> kgxqnhqq.dll -> %System32%\kgxqnhqq.dll
NY -> ooxjobei.ini -> %System32%\ooxjobei.ini
NY -> pvfmxjya.dll -> %System32%\pvfmxjya.dll
NY -> qqhnqxgk.ini -> %System32%\qqhnqxgk.ini
NY -> thxcfg.ini -> %System32%\thxcfg.ini
NY -> tobsegya.ini -> %System32%\tobsegya.ini
NY -> wlhrkuax.ini -> %System32%\wlhrkuax.ini
NY -> wyycf.ini -> %System32%\wyycf.ini
NY -> tmvsthfss.bin -> %System32%\drivers\etc\tmvsthfss.bin
NY -> tmvsthfud.bin -> %System32%\drivers\etc\tmvsthfud.bin
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %SystemRoot%\cygz.dll
NY -> UPX! , UPX0 , -> %SystemRoot%\g6425849.exe
NY -> UPX! , -> %SystemRoot%\retadpu1000272.exe
NY -> UPX! , -> %System32%\aygesbot.dll
NY -> UPX! , UPX0 , -> %System32%\cygz.dll
NY -> UPX! , -> %System32%\kgxqnhqq.dll
NY -> UPX! , -> %System32%\opnonno.dll
NY -> UPX! , -> %System32%\pvfmxjya.dll
NY -> UPX! , UPX0 , -> %System32%\wudb.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
__________________
Unanswered threads for 5 days will no longer be part of my subscriptions.
cometal's Avatar
Computer Specs
Junior Member with 16 posts.
  
Join Date: May 2007
Experience: Beginner
10-May-2007, 05:58 AM #24
hi
today it says again trojan horse infected!!!!
JSntgRvr's Avatar
Moderator & Malware Removal Specialist with 16,282 posts.
  
Join Date: Jul 2003
Location: Puerto Rico
Experience: Advanced
10-May-2007, 10:13 AM #25
Quote:
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).
I need to see these reports. Also, expand on the alert message you have received, including the location of the trojan.
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 2 of 2 1 2

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 01:08 AM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.