1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan or Virus, Bloodhound.Packed, Backdoor.Mutny, Trojan.Startpage and Dloader-FC

Discussion in 'Virus & Other Malware Removal' started by Hellb0y, Mar 25, 2005.

Thread Status:
Not open for further replies.
  1. Hellb0y

    Hellb0y Thread Starter

    Mar 25, 2005
    Hi Everyone,

    Few days ago my dad opened an email which as you can see delivered all above viruses and trojans. Since then I have been going through the logs and system registery and cleaning all the trojans, I have used Symantec(norton), Ad-aware, Spybot, Xoftspy and few other spyware and adware removal tools, I have gone through step by step removing each and every files explained in Many websites, but the bloody thing keeps coming everytime I restart the pc. Oh yes, I have made a bootable cd and removed it from boot sector and memory as well but it didnt help! dont laugh but i was so pissed off, i was about to remove the motherboard battery! haha (joke)

    Ok, Im not too experienced in pc like you all but i do ok, however, I need your help. First of all, the pc is 100 times slower! I get a red desktop with few internet links in it (ofcourse "warning you have spyware, click here to remove it"), I can not remove this desktop because everytime i go to remove it, the mouse wont click on any other desktop picture in display properties.

    Every time i loginto windows (XP Pro SP2), I see about 20 weired .exe files loading in task manager. THey are all in system32 directory, i remove them, then they show up with a different name such as QLP.EXE, or KPE.EXE and ect.

    THe most important effect is that I can not see the desktop files at all! I only have Recycle bin and on the desktop. I tried to search for the directories but they are not there, however, the search result shows them in C:\Desktop! hows that possible! there was not desktop in C:\! all the users are supposed to be in document and setting then username, then desktop. (What a virus!)

    The other problem is everytime I put something on the desktop, it will double! yes, you read it right! same name, same extention! haha im going creazy here!

    I have restarted the pc and used hijackthis to get a log for you. you can see a lot of stuff in host file, I have tried to remove them even in safe mode, it wont let me even after loging as admin.

    I am about to format the bloody hard drive and lost all the files. Please give me an ulternative, please help.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:10:04 PM, on 3/26/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\XoftSpy\XoftSpy.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
    R3 - Default URLSearchHook is missing
    O1 - Hosts: www.greg-tut.com
    O1 - Hosts: nylonsexy.com
    O1 - Hosts: www.nylonsexy.com
    O1 - Hosts: vparivalka.com
    O1 - Hosts: www.vparivalka.comtoescrowpay.com
    O1 - Hosts: www.awmdabest.com
    O1 - Hosts: www.sexfiles.nu
    O1 - Hosts: awmdabest.com
    O1 - Hosts: sexfiles.nu
    O1 - Hosts: allforadult.com
    O1 - Hosts: www.allforadult.com
    O1 - Hosts: www.iframe.biz
    O1 - Hosts: iframe.biz
    O1 - Hosts: www.newiframe.biz
    O1 - Hosts: newiframe.biz
    O1 - Hosts: www.vesbiz.biz
    O1 - Hosts: vesbiz.biz
    O1 - Hosts: www.pizdato.biz
    O1 - Hosts: pizdato.biz
    O1 - Hosts: www.aaasexypics.com
    O1 - Hosts: aaasexypics.com
    O1 - Hosts: www.virgin-tgp.net
    O1 - Hosts: virgin-tgp.net
    O1 - Hosts: www.awmcash.biz
    O1 - Hosts: awmcash.biz
    O1 - Hosts: buldog-stats.com
    O1 - Hosts: www.buldog-stats.com
    O1 - Hosts: fregat.drocherway.com
    O1 - Hosts: slutmania.biz
    O1 - Hosts: www.slutmania.biz
    O1 - Hosts: toolbarpartner.com
    O1 - Hosts: www.toolbarpartner.com
    O1 - Hosts: www.megapornix.com
    O1 - Hosts: megapornix.com
    O1 - Hosts: www.sp2****ed.biz
    O1 - Hosts: sp2****ed.biz
    O1 - Hosts: greg-tut.com
    O1 - Hosts:
    O2 - BHO: (no name) - {54F40038-0E17-478D-9EE4-176D39077899} - C:\WINDOWS\System32\igkm.dll (file missing)
    O2 - BHO: Explorer Class - {962F12AE-2773-4BEB-99EA-B5C3AB9A6606} - C:\WINDOWS\System32\DSMANA~1.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\..\Run: [Agt] C:\WINDOWS\Uef.exe
    O4 - HKLM\..\Run: [Vas] C:\WINDOWS\System32\Nsd.exe
    O4 - HKLM\..\Run: [Ttp] C:\WINDOWS\System32\Pdr.exe
    O4 - HKLM\..\Run: [Mgc] C:\WINDOWS\Eeb.exe
    O4 - HKLM\..\Run: [Lnl] C:\WINDOWS\Rsa.exe
    O4 - HKLM\..\Run: [Umm] C:\WINDOWS\Pgd.exe
    O4 - HKLM\..\Run: [Lbk] C:\WINDOWS\System32\Eqb.exe
    O4 - HKLM\..\Run: [Vfe] C:\WINDOWS\System32\Ddv.exe
    O4 - HKLM\..\Run: [Bee] C:\WINDOWS\Buu.exe
    O4 - HKLM\..\Run: [Cds] C:\WINDOWS\Sko.exe
    O4 - HKLM\..\Run: [Vno] C:\WINDOWS\System32\Dsd.exe
    O4 - HKLM\..\Run: [Qai] C:\WINDOWS\System32\Nne.exe
    O4 - HKLM\..\Run: [Qgl] C:\WINDOWS\System32\Ocn.exe
    O4 - HKLM\..\Run: [Osm] C:\WINDOWS\Puh.exe
    O4 - HKLM\..\Run: [Air] C:\WINDOWS\Qas.exe
    O4 - HKLM\..\Run: [Mip] C:\WINDOWS\Gjc.exe
    O4 - HKLM\..\Run: [Crn] C:\WINDOWS\Utl.exe
    O4 - HKLM\..\Run: [Nsq] C:\WINDOWS\Qls.exe
    O4 - HKLM\..\Run: [Gtt] C:\WINDOWS\Egg.exe
    O4 - HKLM\..\Run: [Tai] C:\WINDOWS\Kvf.exe
    O4 - HKLM\..\Run: [Mbq] C:\WINDOWS\Pdk.exe
    O4 - HKLM\..\Run: [Jfi] C:\WINDOWS\Osv.exe
    O4 - HKLM\..\Run: [Seq] C:\WINDOWS\Mjp.exe
    O4 - HKLM\..\Run: [Lik] C:\WINDOWS\Ehh.exe
    O4 - HKLM\..\Run: [Geb] C:\WINDOWS\Rbu.exe
    O4 - HKLM\..\Run: [Fsd] C:\WINDOWS\System32\Ron.exe
    O4 - HKLM\..\RunServices: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Jsa] C:\WINDOWS\System32\Tnn.exe
    O4 - HKCU\..\Run: [ntddetect] C:\WINDOWS\System32\ntddetect.exe
    O4 - HKCU\..\Run: [Pib] C:\WINDOWS\Jdd.exe
    O4 - HKCU\..\Run: [Vdg] C:\WINDOWS\System32\Olq.exe
    O4 - HKCU\..\Run: [Mak] C:\WINDOWS\System32\Fkp.exe
    O4 - HKCU\..\Run: [Baf] C:\WINDOWS\Jia.exe
    O4 - HKCU\..\Run: [Gtg] C:\WINDOWS\System32\Qih.exe
    O4 - HKCU\..\Run: [Kls] C:\WINDOWS\System32\Gka.exe
    O4 - HKCU\..\Run: [Fls] C:\WINDOWS\Tfn.exe
    O4 - HKCU\..\Run: [Cie] C:\WINDOWS\Ajk.exe
    O4 - HKCU\..\Run: [Bjv] C:\WINDOWS\Vjb.exe
    O4 - HKCU\..\Run: [Bte] C:\WINDOWS\Qho.exe
    O4 - HKCU\..\Run: [Vtb] C:\WINDOWS\Ebr.exe
    O4 - HKCU\..\Run: [Jap] C:\WINDOWS\Fvu.exe
    O4 - HKCU\..\Run: [Btp] C:\WINDOWS\System32\Urr.exe
    O4 - HKCU\..\Run: [Pkg] C:\WINDOWS\Aep.exe
    O4 - HKCU\..\Run: [Npv] C:\WINDOWS\System32\Ibn.exe
    O4 - HKCU\..\Run: [Agt] C:\WINDOWS\Uef.exe
    O4 - HKCU\..\Run: [Vas] C:\WINDOWS\System32\Nsd.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [Ttp] C:\WINDOWS\System32\Pdr.exe
    O4 - HKCU\..\Run: [Mgc] C:\WINDOWS\Eeb.exe
    O4 - HKCU\..\Run: [Lnl] C:\WINDOWS\Rsa.exe
    O4 - HKCU\..\Run: [Lbk] C:\WINDOWS\System32\Eqb.exe
    O4 - HKCU\..\Run: [Vfe] C:\WINDOWS\System32\Ddv.exe
    O4 - HKCU\..\Run: [Bee] C:\WINDOWS\Buu.exe
    O4 - HKCU\..\Run: [Fsd] C:\WINDOWS\System32\Ron.exe
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.slotchbar.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0656143abd2fbd6e5300/netzip/RdxIE601.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
    O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe

    ok thats it, I hope the info is enough. Norton tells me i got these viruses but it can not remove it even in safe mode. XoftSpy detects the Troj/Dloader-FC, says that it removed it but if i run it again, it detects the virus again.

    I thank you in advance for your feedback.


  2. dvk01

    dvk01 Derek Moderator Malware Specialist

    Dec 14, 2002
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/345993