Trojan/malware problem

quog · #1 04-09-2008, 01:31 AM

Ok, long time listener first time caller...
ive usually figured out how to fix things with help of other peoples threads and the advice you guys give, but ive finally run into a problem i cant fix.

ive installed and updated both trojanhunter and superantispyware, run them multiple times then used SDfix.
was running ok for an hour or so then the whole thing repeated...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:53 PM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\ehome\ehtray.exe
C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\APPS\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\svchost.exe
c:\windows\mHotkey.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\TrojanHunter 5.0\THGuard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\slrundll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Murray Shaun\My Documents\programs and downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: Gaia Online Toolbar - {B3535C18-0E70-4D4B-B36B-BBFE139BB144} - C:\Program Files\Gaia Online Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] C:\APPS\Chicony\chicony.bat
O4 - HKLM\..\Run: [RemoteControl] C:\APPS\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\RealMedia\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [crwpqbad] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\crwpqbad.dll"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [BM27ef44e0] Rundll32.exe "C:\WINDOWS\system32\pdjpkvpp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Murray Shaun\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1167544761363
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary...o.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - AppInit_DLLs: iSecurity.cpl
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 8462 bytes

quog · #2 04-09-2008, 01:33 AM

SDfix log

SDFix: Version 1.167
Run by Murray Shaun on Mon 04/07/2008 at 09:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\MURRAY~1\MYDOCU~1\PROGRA~1\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Program Files\akl\akl.dll - Deleted
C:\Program Files\akl\akl.exe - Deleted
C:\Program Files\akl\uninstall.exe - Deleted
C:\Program Files\akl\unsetup.exe - Deleted
C:\Program Files\iSecurity\iSecurity.dat - Deleted
C:\Program Files\iSecurity\syscleaner.bmp - Deleted
C:\Program Files\iSecurity\syscleanerinstalled.bmp - Deleted
C:\Program Files\iSecurity\systemdefender.bmp - Deleted
C:\Program Files\iSecurity\systemdefenderinstalled.bmp - Deleted
C:\Program Files\iSecurity\winifixer.bmp - Deleted
C:\Program Files\iSecurity\winifixerinstalled.bmp - Deleted
C:\WINDOWS\iTunesMusic.exe - Deleted

Folder C:\Program Files\akl - Removed
Folder C:\Program Files\IE Extensions - Removed
Folder C:\Program Files\iSecurity - Removed

Removing Temp Files

ADS Check :

C:\WINDOWS\system32
:winstart 10865
Total size: 10865 bytes.
system32: deleted 10865 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32
No streams found.

Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 21:31:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\a347scsi\Config\jdgg40]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}]
"DisplayName"="Alcohol 120%"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll, -20000"
"C:\\Diablo\\diablo.exe"="C:\\Diablo\\diablo.exe:* :Enabled

iablo"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\Microsoft Games\\Dungeon Siege\\DSLOA.exe"="C:\\Program Files\\Microsoft Games\\Dungeon Siege\\DSLOA.exe:*:Enabled

ungeon Siege: Legends of Aranna Game Executable"
"C:\\WINDOWS\\system32\\dpnsvr.exe"="C:\\WINDOWS\\ system32\\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 Server"
"C:\\Program Files\\ARES\\Ares.exe"="C:\\Program Files\\ARES\\Ares.exe:*:Enabled:Ares"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avgine t.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgam svr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.ex e"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe"="C:\\Program Files\\THQ\\Dawn Of War\\W40k.exe:*:Enabled:W40k"
"C:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe"="C:\\Program Files\\THQ\\Dawn Of War\\W40kWA.exe:*:Enabled:W40kWA"
"C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe"="C:\\Program Files\\THQ\\Dawn of War - Dark Crusade\\DarkCrusade.exe:*:Enabled

arkCrusade"
"C:\\Documents and Settings\\Murray Shaun\\My Documents\\programs and downloads\\Game\\Battlegrounds.exe"="C:\\Documents and Settings\\Murray Shaun\\My Documents\\programs and downloads\\Game\\Battlegrounds.exe:*:Enabled:Star Wars Galactic Battlegrounds"
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe"="C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe:*:Enabled:Star Wars(TM): Empire at War(TM): Forces of Corruption(TM)"
"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS \\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\\WINDOWS\\system32\\rundll32.exe"="C:\\WINDOWS \\system32\\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\\Program Files\\NEXON\\MapleStory\\Patcher.exe"="C:\\Progra m Files\\NEXON\\MapleStory\\Patcher.exe:*:Enabled:Pa tcher MFC ?? ????"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\WiFiConnector\\NintendoWFCReg.exe"="C:\\Pro gram Files\\WiFiConnector\\NintendoWFCReg.exe:*:Enabled :Nintendo Wi-Fi USB Connector"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program Files\\Xfire\\Xfire.exe"="C:\\Program Files\\Xfire\\Xfire.exe:*:Enabled:Xfire"
"C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon \\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\M apleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\Steam\\steamapps\\quog38\\half-life 2 deathmatch\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\quog38\\half-life 2 deathmatch\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Steam\\steamapps\\quog38\\counter-strike source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\quog38\\counter-strike source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:Re alPlayer"
"C:\\Program Files\\Steam\\steamapps\\quog38\\day of defeat source\\hl2.exe"="C:\\Program Files\\Steam\\steamapps\\quog38\\day of defeat source\\hl2.exe:*:Enabled:hl2"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe"="C:\\Program Files\\THQ\\Dawn of War - Soulstorm\\Soulstorm.exe:*:Enabled:Soulstorm"
"C:\\Program Files\\Gameforge4D\\AirRivals\\Launcher.atm"="C:\\ Program Files\\Gameforge4D\\AirRivals\\Launcher.atm:Enable d:GameExe2"
"C:\\Program Files\\Gameforge4D\\AirRivals\\Res-Voip\\SCVoIP.exe"="C:\\Program Files\\Gameforge4D\\AirRivals\\Res-Voip\\SCVoIP.exe:Enabled:GameVoIP"
"C:\\DOCUME~1\\MURRAY~1\\LOCALS~1\\Temp\\win67.exe "="C:\\DOCUME~1\\MURRAY~1\\LOCALS~1\\Temp\\win67.e xe:*:Enabled:win67"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll, -20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

File Backups: - C:\DOCUME~1\MURRAY~1\MYDOCU~1\PROGRA~1\SDFix\backu ps\backups.zip

Files with Hidden Attributes :

Mon 12 Dec 2005 208 A.SHR --- "C:\BOOT.BAK"
Mon 29 Aug 2005 121,240 A..HR --- "C:\Program Files\THQ\Dawn Of War\Disk1CheckW40k.EXE"
Fri 19 Aug 2005 121,237 A..HR --- "C:\Program Files\THQ\Dawn Of War\Disk1Check.EXE"
Fri 18 Jan 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 1 Mar 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc261 2ebcefc90e7dee4c276ee95e\BIT5.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e 78b88fd8276fd7d29cb7e4eb\BIT2.tmp"
Mon 31 Mar 2008 1,714 ...HR --- "C:\Documents and Settings\Murray Shaun\Application Data\SecuROM\UserData\securom_v7_01.bak"
Sun 31 Dec 2006 9,506 A.SH. --- "C:\Documents and Settings\Murray Shaun\My Documents\My Music\License Backup\drmv2key.bak"
Mon 7 Apr 2008 5,946 A.SH. --- "C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE3.tmp"

Finished!

Monty007 · #3 04-09-2008, 03:50 AM

Try not to duplicate post did they remove the problem then the trojan came back is that correct? Do you happen to know the name of the trojan?

quog · #4 04-09-2008, 04:52 AM

duplicate post? =/

from the SDfix log, which is in the 2nd post.
ive had the Isecurity entries return. i reboot when prompted after scan ends, i have to load last known good configuration because it claims windows shut down wrong.
and Superantispyware keeps catching a Vundo varient/resident labeled InprocServer32 which i just cant seem to get rid of it.

Monty007 · #5 04-09-2008, 08:14 AM

Boot into safe mode and run a full scan.

quog · #6 04-09-2008, 03:20 PM

ive done that twice, i also disabled system restore to get rid of a trojan that was in there.
but ill do it again, ive tried everything i know so any suggestion is good

also i was doing some research and it seems that InprocServer32 is a false positive, but i dont see why ad-aware would just start picking it up now after i go superantispyware and trojanhunter.. it didnt pick it up beforehand

Disk_Contented · #7 04-09-2008, 05:26 PM

What prog do these belong to:
O4 - HKLM\..\Run: [crwpqbad] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\crwpqbad.dll"
O4 - HKLM\..\Run: [BM27ef44e0] Rundll32.exe "C:\WINDOWS\system32\pdjpkvpp.dll",s

And this:
C:\WINDOWS\iTunesMusic.exe - Deleted
A dangerous trojan. I would try "unhackme".
http://www.greatis.com/unhackme/
Followed by spybot

quog · #8 04-10-2008, 02:30 AM

I just finished running my safe mode scans and the only thing that came up was a virus already in the trojanHunter quarantine file, k99vb.dat
nothings changed, im still getting the popups, and after changing to FF its now hanging/crashing like IE7 did, or i get multiple redirects out of no where espically when using google. also, now im getting AVG warnings for these two files

@Disk, i have no clue =/
downloading unhackme and spybot now though

Monty007 · #9 04-10-2008, 03:18 AM

Ok I have found the fix for Vundo before starting back up ALL your important docs to a cd ect. http://www.bleepingcomputer.com/forums/topic18610.html
its under removal steps

Monty007 · #10 04-10-2008, 03:39 AM

And here is some info on the Lop trojan just follow the steps but of course you AVG http://www.symantec.com/security_res...421-99&tabid=3

quog · #11 04-10-2008, 03:55 AM

ok i ran Unhackme, it cleared a few things that werent before but now im stuck in a loop on reboot with it telling me to delete two files, so when i do it repeats saying they werent deleted...
which are are Isecruity.cpl and " .exe" thats a blankspace.exe

also i ran the first option of the bleepingcomputer.com vundo removal and it found nothing at all.
going to reboot and see if everythings fixed

Disk_Contented · #12 04-10-2008, 05:52 PM

The two images you posted are from files from your IE cache, quog. You are either picking these up from the net, or they are resident on your machine.
Go to your internet options and tick the options shown in my pic.

I found some info courtesy of Majorgeeks.com. They have a different route you can follow. Please see this page.
http://forums.majorgeeks.com/showthread.php?p=1130848