1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help!!! Trojan Downloaders

Discussion in 'Virus & Other Malware Removal' started by golddust, Jul 21, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. golddust

    golddust Thread Starter

    Joined:
    Jan 2, 2005
    Messages:
    2,239
    Help pls!! I've picked up and can't get rid of several Trojan Downloaders:

    Downloader.Dyfica.3Al
    .Small.41.J
    .lstbar.AP
    .lstar.9D

    Here's my HJT Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:47:01 PM, on 7/21/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\Program Files\NetZero\exec.exe
    C:\Program Files\NetZero\exec.exe
    C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE
    C:\Program Files\SurfAccuracy\SAcc.exe
    C:\DOCUME~1\Owner\LOCALS~1\Temp\sahagent.exe
    C:\Program Files\180searchassistant\sais.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Owner\Desktop\Dwnld exe files\hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=...2147200000&D=1082012400000&I=6.0B5&N=PLHS&O=I
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\saishook.dll
    O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
    O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
    O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\Program Files\YourSiteBar\ysb.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
    O4 - HKLM\..\Run: [sais] c:\program files\180searchassistant\sais.exe
    O4 - HKLM\..\Run: [jqh] C:\WINDOWS\jqh.exe
    O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
    O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
    O8 - Extra context menu item: Show All Original Images - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
    O8 - Extra context menu item: Show Original Image - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
    O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.1.5.21/harvest/harvest-ob-assets.cab
    O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.1.3.21/mahjong/mahjong-ob-assets.cab
    O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.1.5.21/poppit2/poppit2-ob-assets.cab
    O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.1.5.21/jumbee/jumbee-ob-assets.cab
    O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.1.2.25/wordjong/wordjong-ob-assets.cab
    O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt3_x.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112455740562
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{DD539A11-81C7-4918-99D3-642F426A298A}: NameServer = 64.136.20.121 64.136.28.121
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. Cheeseball81

    Cheeseball81 Retired Moderator

    Joined:
    Mar 3, 2004
    Messages:
    84,315
    Uninstall the following from Add/Remove Programs:

    180solutions
    PowerScan
    SurfAccuracy

    YourSiteBar
    --------------------------------------------------------------------------
    Download: Micro$oft Anti Spyware BETA:
    http://www.microsoft.com/athome/security/spyware/software/default.mspx

    First in the top menu click File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick Scan Now".
    Click Spyware scan options.
    In that window put a tick by Run a full system scan.
    Then put a check by all three options below that then click Run Scan now.

    When the scan is finished, let it fix anything that it finds
    (Have it quarantine the items that have that option rather than delete just in case.)
    It is a BETA program and there may be false positives.

    Reboot.
    --------------------------------------------------------------------------
    Click here to download the trial version of Ewido Security Suite:
    http://www.ewido.net/en/download/

    · Install Ewido.
    · During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    · Launch ewido.
    · It will prompt you to update click the OK button and it will go to the main screen.
    · On the left side of the main screen click update.
    · Click on Start and let it update.
    · DO NOT run a scan yet.

    Restart your computer into Safe Mode now.
    (Start tapping the F8 key at Startup, before the Windows logo screen).
    Perform the following steps in Safe Mode:

    * Run Ewido:
    Click on scanner
    Click Complete System Scan and the scan will begin.
    During the scan it will prompt you to clean files, click OK.
    When the scan is finished, look at the bottom of the screen and click the Save report button.
    Save the report to your desktop.

    Reboot again.

    Post a new Hijack This log and the results of the Ewido scan.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/383230