Jump to content

Cannot Remove Trojan.Daonol


Recommended Posts

I have 2 different files that keep getting back onto my PC after Malwarebytes removes them.

Here are the 2 logs I just got after scanning again.

I did a search on my PC in C:\WINDOWS\raedy.vasxxx AND C:\WINDOWS\raedy.vas

The 2 files are definately in there but I didn't know if it was safe to delete them or not. I just let Malwarebytes remove them. I didn't even reboot my PC and they're still coming up as being in my PC. I just right click on the files in the "Search" area and tell it to let Malwarebytes scan it. This is a nasty little bugger.

I need help as soon as is humanly possible. This is our new Office PC and I don't want any of our accounting files to be affected. It also had detected the Bancos.Trojan-PWS earlier today. I pray to God it didn't steal any of my personal information or banking information. I've already had my identity stolen twice in the past 3 years. This is so annoying.

Thank you!

Koko

====================

Malwarebytes' Anti-Malware 1.34

Database version: 1840

Windows 5.1.2600 Service Pack 3

3/13/2009 12:01:51 AM

mbam-log-2009-03-13 (00-01-45).txt

Scan type: Quick Scan

Objects scanned: 67255

Time elapsed: 6 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\raedy.vas (Trojan.Daonol) -> No action taken.

C:\WINDOWS\raedy.vasxxx (Trojan.Daonol) -> No action taken.

================

Malwarebytes' Anti-Malware 1.34

Database version: 1840

Windows 5.1.2600 Service Pack 3

3/13/2009 12:15:30 AM

mbam-log-2009-03-13 (00-15-30).txt

Scan type: Quick Scan

Objects scanned: 1

Time elapsed: 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\raedy.vas (Trojan.Daonol) -> Quarantined and deleted successfully.

========================

Malwarebytes' Anti-Malware 1.34

Database version: 1840

Windows 5.1.2600 Service Pack 3

3/13/2009 12:17:21 AM

mbam-log-2009-03-13 (00-17-21).txt

Scan type: Quick Scan

Objects scanned: 1

Time elapsed: 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\WINDOWS\raedy.vasxxx (Trojan.Daonol) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Here is the HijackThis Log:

Logfile of HijackThis v1.97.7

Scan saved at 12:23:40 AM, on 3/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\PC Tools Internet Security\pctsTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Browser Defender\BDTUpdateService.exe

C:\WINDOWS\system32\CSHelper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\PC Tools Internet Security\pctsAuxs.exe

C:\Program Files\PC Tools Internet Security\pctsSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Browser Defender Toolbar - {23B0D39A-E245-41B7-BF86-1238CF62625E} - C:\Program Files\Browser Defender\PCTBrowserDefender.dll

O3 - Toolbar: MyPoints Toolbar - {A057A204-BACC-4D26-CEC4-75A487FD6484} - C:\PROGRA~1\mypoints\mypoints.dll

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Fill Without Asking &9 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillWithoutAsking.html

O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms (HKLM)

O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)

O9 - Extra button: Save (HKLM)

O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)

O9 - Extra button: Fill NoAsk (HKLM)

O9 - Extra 'Tools' menuitem: Fill Without Asking &9 (HKLM)

O9 - Extra button: Identities (HKLM)

O9 - Extra 'Tools' menuitem: Identities &, (HKLM)

O9 - Extra button: RoboForm (HKLM)

O9 - Extra 'Tools' menuitem: RoboForm &2 (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab

O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1222667953045

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222742832640

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab

O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab

O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://stories.scrapbooksetc.com/create/DragDropUploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

Link to post
Share on other sites

This came from The PC Doctor Internet Security 2009 Log on The Bancos Trojan

3/12/2009 7:49:15 AM:250 Infection was detected on this computer

Threat Name - Trojan-PWS.Bancos

Type - Registry Value

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-3646181656-3369531988-2320958936-500\Software\Microsoft\Windows\CurrentVersion\internet settings\user agent\Post Platform, Embedded Web Browser from: http://bsalsa.com/

3/12/2009 7:50:24 AM:312 Site Guard: Blocked Site

Threat Name - Spyware.Known_Bad_Sites

Details - Site Guard has blocked access to a bad website

Risk Level - High

Infection - meta.7search.com (208.237.254.42)

3/12/2009 7:52:33 AM:437 Scan Finished

Scan Type - Intelli-Scan

Items Processed - 213696

Threats Detected - 1

Infections Detected - 1

Infections Ignored - 24

3/12/2009 7:52:39 AM:296 IntelliGuard Detection Cleaned

Threat Name - Adware.Advertising

Type - Cookie

Risk Level - Low

Infection - ad.yieldmanager.com/ad.yieldmanager.com

3/12/2009 7:52:39 AM:296 IntelliGuard Detection Cleaned

Threat Name - Adware.Advertising

Type - Cookie

Risk Level - Low

Infection - atdmt.com/atdmt.com

3/12/2009 7:52:39 AM:296 IntelliGuard Detection Cleaned

Threat Name - Adware.Advertising

Type - Cookie

Risk Level - Low

Infection - mediaplex.com/mediaplex.com

3/12/2009 7:52:39 AM:406 IntelliGuard Detection Cleaned

Threat Name - Application.TrackingCookies

Type - Cookie

Risk Level - Low

Infection - doubleclick.net/doubleclick.net

3/12/2009 7:52:39 AM:406 IntelliGuard Detection Cleaned

Threat Name - Application.TrackingCookies

Type - Cookie

Risk Level - Low

Infection - stopzilla.com/stopzilla.com

3/12/2009 7:52:39 AM:406 IntelliGuard Detection Cleaned

Threat Name - Application.TrackingCookies

Type - Cookie

Risk Level - Low

Infection - www.stopzilla.com/www.stopzilla.com

3/12/2009 7:54:14 AM:890 Infection quarantined

Threat Name - Trojan-PWS.Bancos

Type - Registry Value

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-3646181656-3369531988-2320958936-500\Software\Microsoft\Windows\CurrentVersion\internet settings\user agent\Post Platform, Embedded Web Browser from: http://bsalsa.com/

3/12/2009 7:54:14 AM:984 Infection cleaned

Threat Name - Trojan-PWS.Bancos

Type - Registry Value

Risk Level - High

Infection - HKEY_USERS\S-1-5-21-3646181656-3369531988-2320958936-500\Software\Microsoft\Windows\CurrentVersion\internet settings\user agent\Post Platform, Embedded Web Browser from: http://bsalsa.com/

3/12/2009 7:54:17 AM:31 Infections Quarantined/Removed Summary

Quarantined - 1

Quarantine Failed - 0

Removed - 1

Remove Failed - 0

Link to post
Share on other sites

  • Root Admin

STEP 01

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
    If you're already running inside Windows you can enable it the following way.
  • Click on START - RUN and type in MSCONFIG go to the BOOT.INI tab and place a check mark by /BOOTLOG
  • Click on OK and you will be prompted to RESTART Windows. Please do restart now.
  • After Windows restarts open the file C:\Windows\ntbtlog.txt with Notepad
  • From the Edit menu choose Select All then Edit, COPY and post that back on your next reply.
  • Note: Vista users can type in the Search and it will show on the menu, then Right click and choose Run as Adminsitrator
  • The tab is called BOOT on Vista. Then choose Boot log

STEP 04

RootRepeal - Rootkit Detector

  • Please download the following tool:
    RootRepeal - Rootkit Detector
  • Direct download link is here:
    RootRepeal.rar

  • If you don't already have a program to open a .RAR compressed file you can download a trial version from here:
    WinRAR

  • Extract the program file to a new folder such as
    C:\RootRepeal

  • Run the program
    RootRepeal.exe
    and go to the
    REPORT
    tab and click on the
    Scan
    button

  • Select
    ALL
    of the checkboxes and then click
    OK
    and it will start scanning your system.

  • If you have multiple drives you only need to check the C: drive or the one Windows is installed on.

  • When done, click on
    Save Report

  • Save it to the same location where you ran it from, such as
    C:\RootRepeal

  • Save it as
    your_name_rootrepeal.txt
    - where your_name is your
    forum name

  • This makes it more easy to track who the log belongs to.

  • Then open that log and select all and copy/paste it back on your next reply please.

  • Quit the RootRepeal program.

Link to post
Share on other sites

MBAM

Malwarebytes' Anti-Malware 1.34

Database version: 1842

Windows 5.1.2600 Service Pack 3

3/13/2009 3:32:03 AM

mbam-log-2009-03-13 (03-32-03).txt

Scan type: Quick Scan

Objects scanned: 65587

Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\raedy.vas (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\WINDOWS\raedy.vasx (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\WINDOWS\raedy.vasxx (Trojan.Daonol) -> Quarantined and deleted successfully.

C:\WINDOWS\raedy.vasxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

xxxxxxxxxxxxxxxxxxxxxxxx (Trojan.Daonol) -> Quarantined and deleted successfully.

+++++++++++++++++++++++++

Logfile of HijackThis v1.97.7

Scan saved at 3:33:45 AM, on 3/13/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\WINDOWS\system32\LVCOMSX.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\PC Tools Internet Security\pctsTray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\CSHelper.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\PSIService.exe

C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe

C:\Program Files\PC Tools Internet Security\pctsAuxs.exe

C:\Program Files\PC Tools Internet Security\pctsSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wdfmgr.exe

C:\Program Files\PC Tools Internet Security\TFEngine\TFService.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\WINDOWS\system32\notepad.exe

C:\Downloads\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/

O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe

O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [iSTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Fill Without Asking &9 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillWithoutAsking.html

O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: Fill Forms (HKLM)

O9 - Extra 'Tools' menuitem: Fill Forms &] (HKLM)

O9 - Extra button: Save (HKLM)

O9 - Extra 'Tools' menuitem: Save Forms &[ (HKLM)

O9 - Extra button: Fill NoAsk (HKLM)

O9 - Extra 'Tools' menuitem: Fill Without Asking &9 (HKLM)

O9 - Extra button: Identities (HKLM)

O9 - Extra 'Tools' menuitem: Identities &, (HKLM)

O9 - Extra button: RoboForm (HKLM)

O9 - Extra 'Tools' menuitem: RoboForm &2 (HKLM)

O9 - Extra button: Research (HKLM)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 (HKLM)

O9 - Extra button: Yahoo! Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.1.4.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab

O16 - DPF: {1D082E71-DF20-4AAF-863B-596428C49874} (TPIR Control) - http://www.worldwinner.com/games/v50/tpir/tpir.cab

O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab

O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1222667953045

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222742832640

O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab

O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/flash...r/ultrashim.cab

O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v57/wof/wof.cab

O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab

O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v67/swapit/swapit.cab

O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://stories.scrapbooksetc.com/create/DragDropUploader.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/download/imikimi_plugin_0.5.1.cab

O16 - DPF: {E4E2F180-CB8B-4DE9-ACBB-DA745D3BA153} (Rising Web Scan Object) - http://download.rising.com.cn/register/pcv...2007/OL2006.cab

Link to post
Share on other sites

:P

All that happens when I double click on the dds.scr is a black c: prompt screen flashes real quick on the screen and then disappears. I completely disabled my PC Tools Internet Security 2009 also. I don't know what else is running that would make this happen? I even hit CTL+ALT+DEL to check my processes, etc, and nothing is running. :P

I am wondering if I should start running a backup? I am so afraid of loosing all of my Quickbooks accounts or running the risk of them being corrupted.

Thanks,

Koko

Link to post
Share on other sites

:P

All that happens when I double click on the dds.scr is a black c: prompt screen flashes real quick on the screen and then disappears. I completely disabled my PC Tools Internet Security 2009 also. I don't know what else is running that would make this happen? I even hit CTL+ALT+DEL to check my processes, etc, and nothing is running. :P

I am wondering if I should start running a backup? I am so afraid of loosing all of my Quickbooks accounts or running the risk of them being corrupted.

Do I go onto Step 03? I will just wait for your reply.

Thanks,

Koko

Link to post
Share on other sites

  • Root Admin

Well you should ALWAYS have backups, regardless of your current Malware situation.

Please try to run this program.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

  • Root Admin

Due to user not being able to access MBAM site they opened a ticket on Bleepingcomputer so I'll close this post now.

Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.