 |  |  |  |  |  |  |  |
Hacktool.rootkit
 |
My norton sercurity regulrly warns me of a hacktool.rootkit infection but is unable to delete the file. This results in a continual norton warning pop up referring to the infection.Following the solutions posted
for other members i have downloaded the HIJACKTHIS.exe and after scanning my computer.....i am posting the Log File...below...In anticipation of a quick reply.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:47 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BF9C680-6DC0-4CB4-8CDC-EA9B84497071}: NameServer = 203.187.192.12,203.187.192.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2318EBA-CA60-4F3D-AC25-594B315BB612}: NameServer = 203.109.127.23 203.187.192.12
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe
--
End of file - 6204 bytes
for other members i have downloaded the HIJACKTHIS.exe and after scanning my computer.....i am posting the Log File...below...In anticipation of a quick reply.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:47 AM, on 9/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BF9C680-6DC0-4CB4-8CDC-EA9B84497071}: NameServer = 203.187.192.12,203.187.192.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{B2318EBA-CA60-4F3D-AC25-594B315BB612}: NameServer = 203.109.127.23 203.187.192.12
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe
--
End of file - 6204 bytes
Last edited by KUMAR AVI; Sep 8th, 2007 at 8:17 pm. Reason: spelling mistake
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation: 
Solved Threads: 768
Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.
C:\WINDOWS\system32\avpo.exe
C:\WINDOWS\system32\avpo.exe
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
At virustotal select the analysis button then the choose button. A window will pop up where you can navigate to the file in question. You need to go to your C drive then the WINDOWS folder then the system32 folder and locate the file there.
Make certain that you have hidden files set to show.
It is virtually the same thing at Jotti's.
Make certain that you have hidden files set to show.
It is virtually the same thing at Jotti's.
Last edited by crunchie; Sep 9th, 2007 at 6:38 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
File avpo.exe received on 09.09.2007 11:51:38 (CET)Antivirus Version Last Update Result
AhnLab-V3 2007.9.8.0 2007.09.07 -
AntiVir 7.6.0.5 2007.09.08 TR/Crypt.NSPM.Gen
Authentium 4.93.8 2007.09.07 -
Avast 4.7.1043.0 2007.09.08 -
AVG 7.5.0.485 2007.09.08 PSW.OnlineGames.HXY
BitDefender 7.2 2007.09.09 Trojan.PWS.Onlinegames.NEC
CAT-QuickHeal 9.00 2007.09.08 TrojanPSW.OnLineGames.blt
ClamAV 0.91.2 2007.09.09 -
DrWeb 4.33 2007.09.08 modification of Win32.Besso
eSafe 7.0.15.0 2007.09.04 Win32.OnLineGames.bl
eTrust-Vet 31.1.5119 2007.09.08 Win32/NSAnti
Ewido 4.0 2007.09.08 -
FileAdvisor 1 2007.09.09 -
Fortinet 3.11.0.0 2007.09.08 W32/OnLineGames.BLT!tr.pws
F-Prot 4.3.2.48 2007.09.07 -
F-Secure 6.70.13030.0 2007.09.09 Trojan-PSW.Win32.OnLineGames.blt
Ikarus T3.1.1.12 2007.09.09 Trojan-PWS.OnlineGames.NEC
Kaspersky 4.0.2.24 2007.09.09 Trojan-PSW.Win32.OnLineGames.blt
McAfee 5115 2007.09.07 PWS-LegMir
Microsoft 1.2803 2007.09.09 TrojanDropper:Win32/Agent!DDD9
NOD32v2 2515 2007.09.09 Win32/PSW.Agent.NDP
Norman 5.80.02 2007.09.07 W32/OnlineGames.gen31
Panda 9.0.0.4 2007.09.09 W32/Lineage.FGT.worm
Prevx1 V2 2007.09.09 Heuristic: Suspicious Self Modifying EXE
Rising 19.39.62.00 2007.09.09 -
Sophos 4.21.0 2007.09.09 -
Sunbelt 2.2.907.0 2007.09.07 -
Symantec 10 2007.09.09 -
TheHacker 6.1.10.182 2007.09.08 Trojan/PSW.OnLineGames.blt
VBA32 3.12.2.4 2007.09.08 -
VirusBuster 4.3.26:9 2007.09.08 Trojan.PWS.OnLineGames.BBJ
Webwasher-Gateway 6.0.1 2007.09.08 Trojan.Crypt.NSPM.Gen
Additional information
File size: 67745 bytes
MD5: d9ddbe2dd4fec98bfc78c7266654ea20
SHA1: b79128928f4ac77b389edff5fcbeabb8cfcf1c4d
Prevx info: http://fileinfo.prevx.com/fileinfo.a...11210060B7271B
AhnLab-V3 2007.9.8.0 2007.09.07 -
AntiVir 7.6.0.5 2007.09.08 TR/Crypt.NSPM.Gen
Authentium 4.93.8 2007.09.07 -
Avast 4.7.1043.0 2007.09.08 -
AVG 7.5.0.485 2007.09.08 PSW.OnlineGames.HXY
BitDefender 7.2 2007.09.09 Trojan.PWS.Onlinegames.NEC
CAT-QuickHeal 9.00 2007.09.08 TrojanPSW.OnLineGames.blt
ClamAV 0.91.2 2007.09.09 -
DrWeb 4.33 2007.09.08 modification of Win32.Besso
eSafe 7.0.15.0 2007.09.04 Win32.OnLineGames.bl
eTrust-Vet 31.1.5119 2007.09.08 Win32/NSAnti
Ewido 4.0 2007.09.08 -
FileAdvisor 1 2007.09.09 -
Fortinet 3.11.0.0 2007.09.08 W32/OnLineGames.BLT!tr.pws
F-Prot 4.3.2.48 2007.09.07 -
F-Secure 6.70.13030.0 2007.09.09 Trojan-PSW.Win32.OnLineGames.blt
Ikarus T3.1.1.12 2007.09.09 Trojan-PWS.OnlineGames.NEC
Kaspersky 4.0.2.24 2007.09.09 Trojan-PSW.Win32.OnLineGames.blt
McAfee 5115 2007.09.07 PWS-LegMir
Microsoft 1.2803 2007.09.09 TrojanDropper:Win32/Agent!DDD9
NOD32v2 2515 2007.09.09 Win32/PSW.Agent.NDP
Norman 5.80.02 2007.09.07 W32/OnlineGames.gen31
Panda 9.0.0.4 2007.09.09 W32/Lineage.FGT.worm
Prevx1 V2 2007.09.09 Heuristic: Suspicious Self Modifying EXE
Rising 19.39.62.00 2007.09.09 -
Sophos 4.21.0 2007.09.09 -
Sunbelt 2.2.907.0 2007.09.07 -
Symantec 10 2007.09.09 -
TheHacker 6.1.10.182 2007.09.08 Trojan/PSW.OnLineGames.blt
VBA32 3.12.2.4 2007.09.08 -
VirusBuster 4.3.26:9 2007.09.08 Trojan.PWS.OnLineGames.BBJ
Webwasher-Gateway 6.0.1 2007.09.08 Trojan.Crypt.NSPM.Gen
Additional information
File size: 67745 bytes
MD5: d9ddbe2dd4fec98bfc78c7266654ea20
SHA1: b79128928f4ac77b389edff5fcbeabb8cfcf1c4d
Prevx info: http://fileinfo.prevx.com/fileinfo.a...11210060B7271B
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
Can you please do the following.
===============
Scan with HijackThis and then place a check next to all the following, if present:
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
files...
C:\WINDOWS\system32\avpo.exe
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
-
Reboot.
===============
Please download and install AVG antispyware tool
Post the log here.
====
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
===============
Scan with HijackThis and then place a check next to all the following, if present:
O4 - HKCU\..\Run: [avpa] C:\WINDOWS\system32\avpo.exe
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:
files...
C:\WINDOWS\system32\avpo.exe
-
Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear.
-
Reboot.
===============
Please download and install AVG antispyware tool
- Close all other Applications Select language click Ok
- Click I Agree
- Click next
- Click Install
- Click Finish
- Wait and AVG antispyware will open to the main screen automatically.
- Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
- It is very important that you get updated
- When updating has finished. Close AVG antispyware.
- Next, please reboot your computer in Safe Mode by doing the following:
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
- Instead of Windows loading as normal, a menu should appear use arrow up to highlight
- Select the first option, to run Windows in Safe Mode hit enter.
- For additional help in booting into Safe Mode, see the following site: HERE
You MUST manage to get into Safe Mode for the fix to work.
- Run AVG antispyware.
- Click on scanner at top of AVG antispyware screen.
- Click on Settings.
- Under How to Act click on Recommended Action and choose Quarantine.
- Under How to scan all boxes should be selected.
- Under Possibly unwanted software all boxes should be selected.
- On right side under Reports: click on Do not automatically generate report after every scan.
- Under What to scan select scan every file.
- Click On scan Tab.
- Click on Complete system scan.
- Let the program scan the machine It can take awhile give it time.
- When scan has finished at bottom of screen click Apply all Actions.
- Click Save report
- Click Save Report as (Save as window's screen should pop up.)
- Click desktop.
- Click Save.
- Exit AVG antispyware.
Post the log here.
====
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Last edited by crunchie; Sep 9th, 2007 at 7:02 am.
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
The report of AVG anti-spyware scanning in safe-mode is as follows:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:11:20 PM 9/9/2007
+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
D:\firefox-virus\std.txt -> Worm.AHKHeap.a : Cleaned.
::Report end
As instructed earlier i m still unable to view hidden files and folders ......therefore cannot delete avpo.exe file in safe mode also......my norton antivirus warns me of Hacktool.rootkit....and says that it has blocked it with file wincab.sys as the culprit, but i m still unable to locate the file......this virus just doesn't seem to go.
i have on my system Norton 2007 antivirus and zonealarm as security measures. and now i also have AVG antispyware installed as intructed,but the problem still reoccurs.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:11:20 PM 9/9/2007
+ Scan result:
C:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@connextra[1].txt -> TrackingCookie.Connextra : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@search.live[1].txt -> TrackingCookie.Live : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@auto.search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
D:\firefox-virus\std.txt -> Worm.AHKHeap.a : Cleaned.
::Report end
As instructed earlier i m still unable to view hidden files and folders ......therefore cannot delete avpo.exe file in safe mode also......my norton antivirus warns me of Hacktool.rootkit....and says that it has blocked it with file wincab.sys as the culprit, but i m still unable to locate the file......this virus just doesn't seem to go.
i have on my system Norton 2007 antivirus and zonealarm as security measures. and now i also have AVG antispyware installed as intructed,but the problem still reoccurs.
•
•
Join Date: Feb 2004
Posts: 10,107
Reputation:
Solved Threads: 768
Download
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
====
Here is Symantecs removal process; http://www.symantec.com/security_res...057-99&tabid=3
SDFix
and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the
following :
- Restart your computer
- After hearing your computer beep once during startup, but before the
Windows icon appears, tap the F8 key continually; - Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
- In Safe Mode, right click the SDFix.zip folder and choose Extract
All, - Open the extracted folder and double click RunThis.bat to
start the script. - Type Y to begin the script.
- It will remove the Trojan Services then make some repairs to the
registry and prompt you to press any key to Reboot. - Press any Key and it will restart the PC.
- Your system will take longer that normal to restart as the fixtool
will be running and removing files. - When the desktop loads the Fixtool will complete the removal and
display Finished, then press any key to end the script and load
your desktop icons. - Finally open the SDFix folder on your desktop and copy and paste the
contents of the results file Report.txt back onto the forum with
a new HijackThis log
====
Here is Symantecs removal process; http://www.symantec.com/security_res...057-99&tabid=3
Proud member of ASAP (Alliance of Security analysis Professionals).
Opera AVAST anti-virus Comodo Firewall Spywareblaster
Opera AVAST anti-virus Comodo Firewall Spywareblaster
|
Similar Threads
- Hacktool.rootkit -how do get rid of it (Viruses, Spyware and other Nasties)
- Hacktool.rootkit virus in WinXP (Viruses, Spyware and other Nasties)
- Unable to get rid of Hacktool.rootkit virus(/Trojan) (Viruses, Spyware and other Nasties)
- Need help with "trojan.hacktool.rootkit" PLEASE!!! (Viruses, Spyware and other Nasties)
- Unable to completely remove HackTool.Rootkit virus (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Some type of infection....Can't get into Windows OR SafeMode
- Next Thread: Should I be worried about a "DDE server not responding" message?
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
acrobat adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile parents patch pdf phishing police policeprovirusmba-mblockedinternetaccess president pro problem redirect report research risk rogueantivirus rootkit samhain sans search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability war warning windows worm yahoo zero-day zeroday
