 |  |  |  |  |  |  |  |
Need help Backdoor flood!!
 |
I used the Merijn HJT tutorial to identify many problems from start/search pages to auto loading programs, BHO's (R0s to 018s) to extra protocols.
I was able to eliminate many things going on, however there is something more evil lurking in the background and the Trojans are popping up all over. I cant get it under control fast enough to slow it down enough to see what's what.
I think there is a lot of crap happening in the section before the ROs in the section called "Running Process" which I suspect may be repopulating the viruses, causing a spiral of out of control.
AVG & Norton can't get it under control and CWShreader says its not a cool wave variant. Some of the stuff detected is: TH Downloader.Small.9x, Backdoor.SdBot.69.Ag (changes variations by the minute) Startpage.11.A, Proxy.7.F and the very persistent Backdoor.Flood.
Merijn, I think removed the articles regarding evaluating "Running Process". Probably everything after the "D:\Downloads F\Tech Support\HijackThis.exe" line is bad.
Even though I would like to be independent and solve this problem on my own I need help on this desperately, please.
updated Win 2000 Pro on a P3-450 & 256 MB ram
Logfile of HijackThis v1.97.7
Scan saved at 10:26:41 AM, on 31/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Picasa\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
c:\winnt\system32\ekrlgc\p0rd.exe
c:\winnt\system32\detr\beird.exe
c:\winnt\system32\qpalsp\palsp.exe
c:\winnt\system32\detr\wshield.exe
c:\winnt\system32\ekrlgc\wshield.exe
c:\winnt\system32\qpalsp\wshield.exe
D:\Downloads F\Tech Support\HijackThis.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\ekrlgc\alte.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\explorx.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\explorx.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\explorx.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] D:\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKLM\..\Run: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Installs SP2] c:\winnt\system32\qpalsp\repcale.exe c:\winnt\system32\qpalsp\palsp.exe
O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Reek 32 Server] reek32.exe
O4 - HKLM\..\RunServices: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKLM\..\RunServices: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKCU\..\Run: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKCU\..\Run: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKCU\..\Run: [Installs SP2] c:\winnt\system32\qpalsp\repcale.exe c:\winnt\system32\qpalsp\palsp.exe
O4 - HKCU\..\RunServices: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKCU\..\RunServices: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKCU\..\RunServices: [Installs SP2] c:\winnt\system32\qpalsp\repcale.exe c:\winnt\system32\qpalsp\palsp.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://142.31.52.223/learnlinc/download/LL7Inst.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2376c146...p/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/1...ll/xscan53.cab
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...591.9621527778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
Thank you inadvance
I was able to eliminate many things going on, however there is something more evil lurking in the background and the Trojans are popping up all over. I cant get it under control fast enough to slow it down enough to see what's what.
I think there is a lot of crap happening in the section before the ROs in the section called "Running Process" which I suspect may be repopulating the viruses, causing a spiral of out of control.
AVG & Norton can't get it under control and CWShreader says its not a cool wave variant. Some of the stuff detected is: TH Downloader.Small.9x, Backdoor.SdBot.69.Ag (changes variations by the minute) Startpage.11.A, Proxy.7.F and the very persistent Backdoor.Flood.
Merijn, I think removed the articles regarding evaluating "Running Process". Probably everything after the "D:\Downloads F\Tech Support\HijackThis.exe" line is bad.
Even though I would like to be independent and solve this problem on my own I need help on this desperately, please.
updated Win 2000 Pro on a P3-450 & 256 MB ram
Logfile of HijackThis v1.97.7
Scan saved at 10:26:41 AM, on 31/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
D:\Picasa\PicasaMediaDetector.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
c:\winnt\system32\ekrlgc\p0rd.exe
c:\winnt\system32\detr\beird.exe
c:\winnt\system32\qpalsp\palsp.exe
c:\winnt\system32\detr\wshield.exe
c:\winnt\system32\ekrlgc\wshield.exe
c:\winnt\system32\qpalsp\wshield.exe
D:\Downloads F\Tech Support\HijackThis.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\qpalsp\alte.exe
c:\winnt\system32\ekrlgc\alte.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\explorx.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\explorx.exe
c:\winnt\system32\qpalsp\repcale.exe
c:\winnt\system32\qpalsp\explorx.exe
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Pop-Up Stopper] "D:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Openwares LiveUpdate] C:\Program Files\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LifeScape Media Detector] D:\Picasa\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKLM\..\Run: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Installs SP2] c:\winnt\system32\qpalsp\repcale.exe c:\winnt\system32\qpalsp\palsp.exe
O4 - HKLM\..\RunServices: [Configuration Loader] svchostss.exe
O4 - HKLM\..\RunServices: [ActiveX Streamer] msgfix.exe
O4 - HKLM\..\RunServices: [Reek 32 Server] reek32.exe
O4 - HKLM\..\RunServices: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKLM\..\RunServices: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKCU\..\Run: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKCU\..\Run: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKCU\..\Run: [Installs SP2] c:\winnt\system32\qpalsp\repcale.exe c:\winnt\system32\qpalsp\palsp.exe
O4 - HKCU\..\RunServices: [Installs SP4] c:\winnt\system32\ekrlgc\repcale.exe c:\winnt\system32\ekrlgc\p0rd.exe
O4 - HKCU\..\RunServices: [PreInstall Windows] c:\winnt\system32\detr\repcale.exe c:\winnt\system32\detr\beird.exe
O4 - HKCU\..\RunServices: [Installs SP2] c:\winnt\system32\qpalsp\repcale.exe c:\winnt\system32\qpalsp\palsp.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {48F22476-0F08-43D8-BAA3-83AD77BD2582} (LLInstall Class) - http://142.31.52.223/learnlinc/download/LL7Inst.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2376c146...p/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/1...ll/xscan53.cab
O16 - DPF: {9D5B6642-8C3F-4504-B2FC-42779ABAE4B9} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...591.9621527778
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - http://www.microsoft.com/security/controls/SassCln.CAB
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
Thank you inadvance
Thank you,
:lol: AJE
________________________________________________________________
" Persistence can change failure into extraordinary achievement."
:lol: AJE
________________________________________________________________
" Persistence can change failure into extraordinary achievement."
•
•
Join Date: Aug 2003
Posts: 9,592
Reputation: 
Solved Threads: 496
Reboot computer ,hitting the f8 key and ente safe mode ,and run all the scan program in safe mode .
Linux boot cd http://www.knopper.net/knoppix/index-en.html
•
•
•
•
Originally Posted by caperjack
Reboot computer ,hitting the f8 key and ente safe mode ,and run all the scan program in safe mode .
AVG did not find any virus while in safe mode but I know they are still there. Maybe a review of my HJT log will help.
Thank you in-advanced.
Thank you,
:lol: AJE
________________________________________________________________
" Persistence can change failure into extraordinary achievement."
:lol: AJE
________________________________________________________________
" Persistence can change failure into extraordinary achievement."
•
•
Join Date: Aug 2003
Posts: 9,592
Reputation:
Solved Threads: 496
Try these 2 programs .
Ad-Aware and Spybot
Download the latest version of Ad-Aware at ADAWARE
Setup Ad-Aware .
After installing AAW, and before running the program, update reference files by using the bottom right button in the program, labeled "Check for Updates."
Launch the program, and click on the Gear at the top of the start screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed
Download SPYBOT
After installing Spybot S&D, update it by using the "Update" button on the left panel of the program. Search for updates and download anything it finds
How to setup Ad-Aware and Spy-Bot S&D\ link not working
http://www.zerosrealm.com/scanning.php
And after that, please do the following:
reboot computer and post a new log
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Also get the trojanRemover demo here ,fully working demo .
http://www.misec.net/trojanhunter/
Ad-Aware and Spybot
Download the latest version of Ad-Aware at ADAWARE
Setup Ad-Aware .
After installing AAW, and before running the program, update reference files by using the bottom right button in the program, labeled "Check for Updates."
Launch the program, and click on the Gear at the top of the start screen.
Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.
Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.
Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed
Download SPYBOT
After installing Spybot S&D, update it by using the "Update" button on the left panel of the program. Search for updates and download anything it finds
How to setup Ad-Aware and Spy-Bot S&D\ link not working
http://www.zerosrealm.com/scanning.php
And after that, please do the following:
reboot computer and post a new log
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Also get the trojanRemover demo here ,fully working demo .
http://www.misec.net/trojanhunter/
Linux boot cd http://www.knopper.net/knoppix/index-en.html
This is a sneaky bugger. I found the parent file in XP in Documents and Settings under the account name in an installer file called 6SPIRE.EXE. The registry actually had it listed, but it was so hard to find because it was at the end of a very long command line. Within the parent was emoti.bat and umnz.exe, which were installed elsewhere and easy to find in System32. Matching dates corresponded to h2m6w5s.exe and ttuh.exe which were hiding as system files and were indicated in msconfig but not obvious. Although I removed the problem manually by good observation, I used the latest version of AVG 7 Beta 2 to give me confirmation of my suspicions.
|
Similar Threads
- Re: Hijack log-WMP Internal application error ha occured (Viruses, Spyware and other Nasties)
- backdoor.prorat please help, HJT log is included? (Viruses, Spyware and other Nasties)
- Cisco reveals its "backdoor" *wink wink nudge nudge* (Networking Hardware Configuration)
- BackDoor. Mosucker.W (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: help,page cannot be displayed
- Next Thread: Need help battling About:Blank...please HELP!
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
