1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

persistent viruses/backdoor trojans. please help!!

Discussion in 'Virus & Other Malware Removal' started by felicienne, Oct 31, 2007.

Thread Status:
Not open for further replies.
  1. felicienne

    felicienne Thread Starter

    Joined:
    Oct 31, 2007
    Messages:
    1
    Hi, I really need help.

    AVG has been detecting a LOT of viruses in my PC, like:
    Trojan horse IRC/BackDoor.SdBot3.RDR
    Trojan horse IRC/BackDoor.SdBot3.SCY
    Trojan horse BackDoor.Ircbot.AG
    Trojan horse BackDoor.Ircbot.BUC
    Trojan horse Generic_c.BVW
    Virus: Win32/Virut.O

    Those were just some of them. I keep on deleting the files that AVG says are infected, BUT they ALWAYS keep on coming back. A VBScript file "1" and some files such as "dirhttp.exe" and "qhotsew.exe" also always appears in the C: folder. There's one type of file, "84785_redworld.exe", that keeps on coming back in the C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5 directory. Also, there are infected files in the System32 folder, and no matter how I keep going into Safe Mode to delete those infected files, they just always keep coming back.

    Is there something else I should do/delete to stop these viruses?


    Here's my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:45:33 PM, on 10/31/2007
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\wqmfgxo.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\cmd.exe
    C:\WINDOWS\System32\cmd.exe
    C:\WINDOWS\system32\ftp.exe
    C:\WINDOWS\System32\cmd.exe
    C:\WINDOWS\System32\cmd.exe
    C:\WINDOWS\system32\cscript.exe
    C:\WINDOWS\System32\cmd.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\System32\yptull.exe
    O4 - HKLM\..\Run: [Client Server Runtime Process] C:\WINDOWS\System32\csrs.exe
    O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\rmtsphu.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [pronto] jixz.exe
    O4 - HKLM\..\Run: [WinServ 32] wqmfgxo.exe
    O4 - HKLM\..\RunServices: [pronto] jixz.exe
    O4 - HKLM\..\RunServices: [WinServ 32] wqmfgxo.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
    O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe


    I also tried Panda ActiveScan online:

    Virus:Generic Malware Disinfected Operating system
    Adware:adware/purityscan Not disinfected c:\windows\system32\winserv.exe
    Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\angelo\Cookies\[email protected][2].txt
    Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\angelo\Cookies\[email protected][2].txt
    Virus:W32/Sdbot.JUM.worm Disinfected C:\RECYCLER\S-1-5-21-1644491937-854245398-1957994488-1003\Dc63\84785_redworld[1].exe
    Virus:W32/Gaobot.OXI.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GH2NOTIF\84785_redworld[2].exe
    Virus:Generic Malware Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W52RCPUJ\84785_redworld[1].exe
    Virus:W32/Sdbot.JUM.worm Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W52RCPUJ\84785_redworld[3].exe
    Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\x
    Virus:Trj/Killfiles.AK Disinfected C:\WINDOWS\Temp\C27D8FEF-D7AE-42c0-82E6-F30598265639.exe


    BUT, although it says that the viruses have been disinfected, as I said, they just keep coming back. :mad: If someone could give me any help in solving this problem, it would be much appreciated. :) Thanks in advance.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/645919

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice