Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

help!! Win32.adverts.trojan.downloader

837 views 2 replies 2 participants last post by  Alexandre 
#1 ·
Hi.

Ma ad-aware find two files with win32.adverts.trojan.downloader, and it can't fix it. My Hijackthis log is:

Logfile of HijackThis v1.97.7
Scan saved at 15:57:36, on 12/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\winnt\system32\sncntr.exe
C:\winnt\system32\sp2ctr.exe
C:\WINNT\system32\internat.exe
C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fonsecaeveiga.adv.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [PCI Audio Applications] D:\Sound\C-Media\W2K-ME\app\Setup.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\ARQUIV~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [sncntr] c:\winnt\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [sp2ctr] c:\winnt\system32\sp2ctr.exe /nocomm
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Inicialização do Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Localização acelerada da Microsoft.lnk = C:\Arquivos de programas\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com.br
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com.br
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.6619097222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C67DAEB-4B89-40A4-B6AC-2F9974C6875E}: NameServer = 200.198.176.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8C67DAEB-4B89-40A4-B6AC-2F9974C6875E}: NameServer = 200.198.176.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{8C67DAEB-4B89-40A4-B6AC-2F9974C6875E}: NameServer = 200.198.176.2

Someone can help me, please??

Alexandre :confused:
 
See less See more
#2 ·
Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKLM\..\Run: [sncntr] c:\winnt\system32\sncntr.exe /nocomm
O4 - HKLM\..\Run: [sp2ctr] c:\winnt\system32\sp2ctr.exe /nocomm

Reboot into safe mode by following instructions here: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406
then as some of the files or folders you need to delete may be hidden do this:
Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

Delete these files

C:\winnt\system32\sncntr.exe
C:\winnt\system32\sp2ctr.exe

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it (repeat for every user name/account )

and select EVERYTHING in C:\windows\temp except temporary internet files, cookies and history folders and delete all that as well

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

then
Reboot normally &

Download and unzip or install these programs/applications if you haven't already got them. If you have them, then make sure they are updated and configured as described

Spybot - Search & Destroy from http://security.kolla.de
AdAware SE from http://www.lavasoft.de/support/download


Run Sybot S&D

After installing, first press Online, press search for updates, then tick the updates it finds, then press download updates. Beside the download button is a little down pointed arrow, select one of the servers listed. If it doesn't work or you get an error message then try a different server

Next, close all Internet Explorer and OE windows, press 'Check for Problems', and have SpyBot remove all it finds that is marked in RED.

then reboot &

Run ADAWARE

Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
the current ref file should read at least SE1R7 06.09.2004 or a higher number/later date
Then ........
click the "Scan" button. and select full scan

When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries. You can safely ignore any MRU entries though and not delete them

reboot again

then post a new hijackthis log to check what is left and say whether it has fixed the problem
 
#3 ·
Derek.

I did everything you say.

My new hijakthis is:

Logfile of HijackThis v1.97.7
Scan saved at 18:34:05, on 14/9/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\htpatch.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\System32\sistray.EXE
C:\WINNT\System32\khooker.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\WINNT\system32\internat.exe
C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
C:\Arquivos de programas\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fonsecaeveiga.adv.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINNT\Downloaded Program Files\gbieh.dll
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
O4 - HKLM\..\Run: [PCI Audio Applications] D:\Sound\C-Media\W2K-ME\app\Setup.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] C:\ARQUIV~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Inicialização do Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Localização acelerada da Microsoft.lnk = C:\Arquivos de programas\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.msn.com.br
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.msn.com.br
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38120.6619097222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8C67DAEB-4B89-40A4-B6AC-2F9974C6875E}: NameServer = 200.198.176.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{8C67DAEB-4B89-40A4-B6AC-2F9974C6875E}: NameServer = 200.198.176.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{8C67DAEB-4B89-40A4-B6AC-2F9974C6875E}: NameServer = 200.198.176.2

It seems that the problem is fixed.

Thanks.

Alexandre
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top