1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Can't get rid of this trojan(HJT Log attached)

Discussion in 'Virus & Other Malware Removal' started by Mr_Og, Mar 8, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Mr_Og

    Mr_Og Thread Starter

    Joined:
    Mar 8, 2007
    Messages:
    5
    Hi,
    yesterday, while browsing the web, NAV reported a trojan which it couldn't access and since then my system is a mess: On every boot I got a message ie_updater.exe failed, Iexplore.exe would open and close every second(could only be seen in the task manager, not actual window - BTW the process was a genuine MS iexplore.exe and not a fake file), and CSRSS.EXE would utilize almost 100% CPU(again, genuine MS csrss.exe) also, NAV would occasionally give a warning about totour.exe trojan in system32 (which I couldn't find).

    After reading some posts here I tried to fix the problem myself: I used adaware SE scan and repaired items it found, I deleted files I knew was bad using The Avenger, I used SDFix.exe, etc...

    Finally, I thought I solved the problem because all symptoms were gone, but I see two problems remained: As soon as I connect to the internet all my bandwidth is being used such that I can't even browse, and NAV still gives me occasional totour.exe warnings when I try to surf the web.
    Here is my HighJackThis Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:44:35 AM, on 3/8/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    E:\WINDOWS\System32\smss.exe
    E:\WINDOWS\system32\winlogon.exe
    E:\WINDOWS\system32\services.exe
    E:\WINDOWS\system32\lsass.exe
    E:\WINDOWS\system32\svchost.exe
    E:\WINDOWS\System32\svchost.exe
    E:\WINDOWS\Explorer.EXE
    E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    E:\WINDOWS\system32\spoolsv.exe
    E:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WinXP_Programs\Babylon5.0.4.r14\Babylon.exe
    E:\WINDOWS\System32\devldr32.exe
    E:\WINDOWS\System32\ctfmon.exe
    C:\WinXP_Programs\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WinXP_Programs\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WinXP_Programs\Microsoft AntiSpyware\gcasDtServ.exe
    E:\WINDOWS\System32\drivers\CDAC11BA.EXE
    E:\WINDOWS\System32\inetsrv\inetinfo.exe
    E:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WinXP_Programs\Norton AntiVirus\navapsvc.exe
    E:\WINDOWS\System32\nvsvc32.exe
    E:\WINDOWS\System32\svchost.exe
    E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    H:\VMware\vmware-authd.exe
    E:\WINDOWS\System32\vmnat.exe
    E:\WINDOWS\System32\vmnetdhcp.exe
    E:\WINDOWS\System32\taskmgr.exe
    D:\MalWare Tools\hijackthis\HijackThis.exe

    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\WinXP_Programs\Adobe\Acrobat 6.0 ME\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winxp_programs\google\googletoolbar4.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\WinXP_Programs\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\WINXP_~1\FLASHGET\fgiebar.dll
    O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\WinXP_Programs\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: ImageShack Toolbar - {6932D140-ABC4-4073-A44C-D4A541665E35} - E:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winxp_programs\google\googletoolbar4.dll
    O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [IMJPMIG8.1] E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [gcasServ] "C:\WinXP_Programs\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [Babylon Client] C:\WinXP_Programs\Babylon5.0.4.r14\Babylon.exe -AutoStart
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\WINXP_~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [CTFMON.EXE] E:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\WinXP_Programs\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Startup: Bandwidth Meter.lnk = C:\WinXP_Programs\Wizard Software\Bandwidth Meter\BandMeter.exe
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - H:\FLASHS~1\save.htm
    O8 - Extra context menu item: Download All by FlashGet - C:\WINXP_~1\FLASHGET\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - C:\WINXP_~1\FLASHGET\jc_link.htm
    O8 - Extra context menu item: Post Image to Blog - res://E:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5003
    O8 - Extra context menu item: RapidShare-Download - res://E:\DOCUME~1\DUALO~1\LOCALS~1\Temp\ir_ext_temp_0\AutoPlay\Docs\more-rapid.exe/RsMenExt.html
    O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
    O8 - Extra context menu item: Tag This Image - res://E:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5002
    O8 - Extra context menu item: Transload Image to ImageShack - res://E:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5004
    O8 - Extra context menu item: Upload All Images to ImageShack - res://E:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5000
    O8 - Extra context menu item: Upload Image to ImageShack - res://E:\WINDOWS\ImageShackToolbar\ImageShackToolbar.dll/5001
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\WINDOWS\System32\msjava.dll
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - H:\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - H:\FLASHS~1\save.htm
    O9 - Extra button: Translate - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\WinXP_Programs\LingoCom\Translator.lnk
    O9 - Extra 'Tools' menuitem: Translator - {87680762-4A83-11B4-885B-0000E8ECA40F} - C:\WinXP_Programs\LingoCom\Translator.lnk
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\Office\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WinXP_Programs\ICQLite\ICQLite.exe
    O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\WinXP_Programs\ICQLite\ICQLite.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINXP_~1\FLASHGET\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\WINXP_~1\FLASHGET\flashget.exe
    O12 - Plugin for .mpeg: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://toolbar.imageshack.us
    O16 - DPF: {6932D140-ABC4-4073-A44C-D4A541665E35} (ImageShack Toolbar) - http://toolbar.imageshack.us/toolbar/ImageShackToolbar.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{099E9DE1-DF44-4B4A-80FD-34DCA114EFEC}: NameServer = 194.90.1.5,212.143.212.143
    O17 - HKLM\System\CCS\Services\Tcpip\..\{103FF839-29F0-4AC7-8B02-F4F869B39DF8}: NameServer = 194.90.1.5,212.143.212.143
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D3297B31-E732-4DDC-925F-115664FF5FBD}: NameServer = 192.115.106.46,192.115.106.11
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\WinXP_Programs\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - E:\WINDOWS\System32\drivers\CDAC11BA.EXE
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\WinXP_Programs\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\WINXP_~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: MacFormatService - Unknown owner - E:\Program Files\MacOpener\FORMATM.EXE" /SERVICE (file missing)
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\WinXP_Programs\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Unknown owner - C:\WINXP_~1\NORTON~2\AdvTools\NPROTECT.EXE (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\WinXP_Programs\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: ServiceLayer - Nokia. - E:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - H:\VMware\vmware-authd.exe
    O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - E:\WINDOWS\System32\vmnetdhcp.exe
    O23 - Service: VMware NAT Service - VMware, Inc. - E:\WINDOWS\System32\vmnat.exe


    I really hope one of you experts could help me use my computer again.
    Thanks in advance!
    Og
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Hi, Welcome to TSG!!

    You need to go here and install "Service Pack 1" This will patch numerous security holes in IE and Windows. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates before we proceed or we will be wasting our time.

    DO NOT install Service pack 2 yet. If you install SP 2 on an infected machine it will cause serious problems. Just get Service Pack 1 installed. After you get SP1 installed, restart your computer. Come back here and post the new Hijack This log.
     
  3. Mr_Og

    Mr_Og Thread Starter

    Joined:
    Mar 8, 2007
    Messages:
    5
    Hi cybertech, thank you for warm welcome :)

    Hmmm, this is a problem...
    The thing is, I do not want to install either SP1 or SP2, I have installed those in the past and reverted back to the default 2600 build. There are literally dozens of reasons why I don't want to/can't install SP1/2 and I could specify those upon request.
    Isn't there any possible way to solve this without installing SP1/2 ?
    Please note that all updates that are available for my OS version ARE installed(yes, I know that there are updates available only to SP1/2 versions), that I am quite computer-literate, and that in over five years I have solved every Malware problem I ever had with that OS install (that is, I never had to reinstall windows).
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Run HJT again and put a check in the following:

    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {815A82AE-CDEF-11D8-BA48-A6D245798277} - (no file)

    Close all applications and browser windows before you click "fix checked".


    What is the file name and location of the trojan?
     
  5. Mr_Og

    Mr_Og Thread Starter

    Joined:
    Mar 8, 2007
    Messages:
    5
    Done(problem persists).


    I wish I knew... Can you recommend a good program which can tell me which application/process is using which amount of bandwidth(Preferably freeware but doesn't have to be) so I could check?
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Click Here and download Killbox and save it to your desktop.


    Double-click on Killbox.exe to run it.
    Put a tick by Delete on Reboot.
    In the "Full Path of File to Delete" box, copy and paste the following:

    c:\windows\system32\totour.exe

    Click on the button that has the red circle with the X in the middle after you enter the file name.
    It will ask for confimation to delete the file.
    Click Yes.
    It will ask if you want to reboot now,
    Click Yes.

    Note: It is possible that Killbox will tell you that the file does not exist.

    If your computer does not restart automatically then please restart it manually.
    If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
     
  7. Mr_Og

    Mr_Og Thread Starter

    Joined:
    Mar 8, 2007
    Messages:
    5
    I did as you suggested but nothing seemed to change, I believe the file is simply not there anymore (BTW, my windows drive is E so I changed the line you wrote to fit).

    If it's any help, I will attach the logs of all the files I deleted yesterday trying to fix this by myself:

    avenger:
    ------
    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\neqceqap

    *******************

    Script file located at: \??\E:\WINDOWS\System32\sihsumci.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at E:\Avenger

    *******************

    Beginning to process script file:

    File E:\Documents and Settings\Dual O\ie_updater.exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.
    ------

    SDFix:
    ------
    SDFix: Version 1.69

    Run by Administrator - Wed 03/07/2007 @ 22:29:34.65

    Microsoft Windows XP [Version 5.1.2600]

    Running From: E:\SDFix

    Safe Mode:
    Checking Services:




    Killing PID 176 'smss.exe'
    Killing PID 248 'winlogon.exe'

    Restoring Windows Registry Entries
    Restoring Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    E:\Documents and Settings\All Users\Documents\Settings\partnership.dll - Deleted
    E:\WINDOWS\system32\o - Deleted



    ADS Check:

    E:\WINDOWS\system32
    No streams found.


    Final Check:

    Remaining Services:
    ------------------




    Remaining Files:
    ---------------

    Backups Folder: - E:\SDFix\backups\backups.zip


    Checking For Files with Hidden Attributes :

    E:\Documents and Settings\Dual O\NetHood\ftp.digital.com\Desktop.ini
    E:\Documents and Settings\Dual O\NetHood\ftp.apple.com\Desktop.ini
    E:\Documents and Settings\Dual O\NetHood\mirror.apple.com\Desktop.ini
    E:\Documents and Settings\Dual O\NetHood\www.arihav.com\Desktop.ini
    E:\Documents and Settings\Dual O\NetHood\og0000.spymacdisk.com\Desktop.ini
    E:\Documents and Settings\Dual O\NetHood\ftp.pcchips.com.tw\Desktop.ini
    E:\Documents and Settings\Dual O\NetHood\ftp.fica.com\Desktop.ini
    E:\WINDOWS\CdaC14BA.DLL
    E:\Documents and Settings\Dual O\Application Data\plugin.dll
    E:\Documents and Settings\Dual O\Application Data\NUBZWTP.DLL
    E:\Documents and Settings\Dual O\Application Data\rbap450.dll
    E:\WINDOWS\CdaC13BA.EXE
    E:\WINDOWS\LastGood.Tmp\INF\oem11.inf
    E:\WINDOWS\LastGood.Tmp\INF\oem11.PNF
    E:\Documents and Settings\Dual O\My Documents\MOD\~WRL0003.tmp
    E:\Documents and Settings\Dual O\My Documents\MOD\~WRL1132.tmp
    E:\Documents and Settings\Dual O\My Documents\MOD\~WRL3571.tmp
    E:\Documents and Settings\Dual O\My Documents\MOD\~WRL3835.tmp
    E:\Documents and Settings\Dual O\Application Data\Microsoft\Word\~WRL0320.tmp
    E:\Documents and Settings\Dual O\Application Data\Microsoft\Word\~WRL3411.tmp
    E:\Documents and Settings\Dual O\Application Data\Microsoft\Word\~WRL0157.tmp
    E:\Documents and Settings\Dual O\Application Data\Microsoft\Word\~WRL0003.tmp

    Add/Remove Programs List:

    <Snapped>

    Finished
    ------

    Ad-Aware:
    ------
    Ad-Aware SE Statistics 3-8-2007 6:05:31 PM
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    TAC Rating Total Found Total Removed Last Detected
    Win32.Trojan.Spambot 2 2 3-7-2007
    Win32.TrojanDownloader.Tibs 1 0 3-7-2007
    Win32.TrojanDropper 1 1 3-7-2007
    Win32.Trojan.Keylogger 1 0 3-7-2007
    Lop 2 2 3-7-2007
    Win32.TrojanDownloader.Small 2 2 3-7-2007
    Redirected hostfile entry 32 32 3-7-2007
    Tracking Cookie 906 906 3-7-2007
    Win32.Hacktool.ToolEvId 2 0 3-7-2007
    MRU List 431 0 3-7-2007
    ------

    NAV:
    ------
    Category: Threat alerts
    Date,Feature,Threat Name,Action Taken,Item Type,Target,Suspicious Action,Virus Definition Version,Product Version,User Name,Computer Name,Details
    3/8/2007 10:46:06 AM,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\WINDOWS\System32\totour.exe
    3/8/2007 10:46:06 AM,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\WINDOWS\System32\totour.exe
    3/7/2007 7:29:48 PM,Script Blocking,Suspicious script,Activity allowed once,Script,N/A,FileSystem Object : GetSpecialFolder,Unknown,Unknown,Dual O,C1,Source: MsiExec.exe (this was the installation for a program called CounterSpy V2)
    3/7/2007 2:39:36 PM,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\WINDOWS\System32\totour.exe
    3/7/2007 2:39:36 PM,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\WINDOWS\System32\totour.exe
    3/7/2007 12:21:38 PM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\DOCUME~1\DUALO~1\LOCALS~1\Temp\AAWTMP\C85332250\156CC7\Baaaaa.class
    3/7/2007 12:21:38 PM,Auto-Protect,Trojan.ByteVerify,Automatically deleted,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\DOCUME~1\DUALO~1\LOCALS~1\Temp\AAWTMP\C85332250\156CC7\BaaaaBaa.class
    3/7/2007 12:16:20 PM,Auto-Protect,Trojan.Desktophijack,Automatically deleted,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\5DG9TMEO\load[1].php
    3/7/2007 11:46:12 AM,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\DOCUME~1\DUALO~1\LOCALS~1\Temp\AAWTMP\C85332250\2344B0\patch.exe
    3/7/2007 11:46:12 AM,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\DOCUME~1\DUALO~1\LOCALS~1\Temp\AAWTMP\C85332250\2344B0\patch.exe
    3/7/2007 10:57:57 AM,Auto-Protect,Backdoor.Trojan,Automatically deleted,File,N/A,N/A,200703020052,10.0.1.13,SYSTEM,C1,Source: E:\WINDOWS\TEMP\maindll.dll
    3/7/2007 10:53:58 AM,Auto-Protect,Trojan Horse,Access denied,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\WINDOWS\System32\totour.exe
    3/7/2007 10:53:58 AM,Auto-Protect,Trojan Horse,Repair failed,File,N/A,N/A,200703020052,10.0.1.13,Dual O,C1,Source: E:\WINDOWS\System32\totour.exe
    ------

    Please note that all the mentioned files above were deleted and I also deleted the TEMP folder and the temporary IE files, I just showed the logs because maybe you can use them to identify the problem and find bad files that I missed.

    Also, I really think a utility that can track connection to/from my PC (and can tell me from which port or app they are from) can help me solve this, I know I already asked, but if anyone know of such software I will really be happy to know.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    Have you done this?
    Run Panda ActiveScan here

    Once you are on the Panda site click the "Scan your PC" button.
    A new window will open... click the "Check Now" button.
    Enter your Country.
    Enter your State/Province.
    Enter your e-mail address.
    Select either Home User or Company.
    Click the big "Scan Now" button.
    If it wants to install an ActiveX component allow it.
    It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
    When download is complete, click on "Local Disks" to start the scan.
    When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.
     
  9. Mr_Og

    Mr_Og Thread Starter

    Joined:
    Mar 8, 2007
    Messages:
    5
    Attached is the requested report (was too big to put in one message):
     

    Attached Files:

  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,116
    This is what I find left for you to look into

    Hacktool:Hacktool/NMap Not disinfected E:\WINDOWS\Downloaded Installations\{38B83FD2-06C3-44C3-A7DB-0B4653FB6BDF}\NMapWin.msi[unk_0052][CCGNU32.dll1]
    Adware:Adware/Gator Not disinfected E:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll
    Dialer:Dialer.OK Not disinfected E:\WINDOWS\Downloaded Program Files\internazionale_ver3.INF
    Dialer:Dialer.Gen Not disinfected E:\WINDOWS\Downloaded Program Files\603828.EXE
    Adware:Adware/WUpd Not disinfected E:\WINDOWS\LastGood\Downloaded Program Files\ActiveX.inf
    Adware:Adware/BHO Not disinfected E:\WINDOWS\INETG.RAR[inetg\1.01.03.dll]
    Virus:Trj/Small.BO Not disinfected E:\WINDOWS\INETG.RAR[inetg\services.exe.jj]
    Spyware:Cookie/Tribalfusion Not disinfected E:\Documents and Settings\Dual O\Local Settings\OG-TEMP\~DF319F.TMP
    Dialer:Dialer.Gen Not disinfected E:\Documents and Settings\Dual O\Desktop\s2k.serials2k7.1.zip[s2k.hacking.exe]
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/550064

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice