trojan/keylogger - Tech Support Forums

crowndroyal · April 30th, 2008, 09:42 PM

i need some help i have a movie that in any of my media players so i figured im missing a codec so i google vls codec and my stupid ass ddint look at the actual URL now i have some porn trojan when ever i search something on google porn pops up or a warnigng that looks like a windows warning about adware on my computer and to download sonethign but its just another trojan or keylogger.
i have NOD32 and its not detectiong i downloaded and insatlled sypware doctor it dectects some things it detected some things and i deleted. The trojan is still there though i used ad-aware nothing is getting rid of this thing what do i do. I have also started in safe mode and did a scan and still nothing. I have emptied my temp files in IE and using CC cleaner as well as pc pitstop. here is my log file from hijack this
<a href="http://h1.ripway.com/crowndroyal/hijackthis.log">hijackthis.log</a>

1. i am usinf xp sp2
2. im not shure on the motherboard model and # but im shure its not that important to diag this problem

**RicheemxX** · April 30th, 2008, 10:04 PM

as I just recommend for another user

Quote:

Originally Posted by RicheemxX

Common Spyware Solutions

HijackThis Analyzer & Tutorial

run all your scans in safe mode, when deleting the bad files make sure you turn of system restore. If none of the spyware tools work try an online virus scanner like trendmicro's housecall

crowndroyal · April 30th, 2008, 10:18 PM

Quote:

Originally Posted by RicheemxX

as I just recommend for another user

run all your scans in safe mode, when deleting the bad files make sure you turn of system restore. If none of the spyware tools work try an online virus scanner like trendmicro's housecall

not to sound roude but did you read my post ? i did all my scans in safe mode i have used eveythign i know thats top notch out there to remove this trojan its not getting rid of it. HENCE WHy I GAVE A LINK TO MY LOG FILE FROM HIJACK THIS to look over as i am not gonna mess with it im experienced but not that experienced.
for further info here is the detail analyzer that was posted

http://www.hijackthis.de/index.php?l...ct=english#anl

**RicheemxX** · April 30th, 2008, 10:29 PM

I think I'm must be beating my head against a wall with people today.

Paste your log file here http://www.hijackthis.de/index.php?langselect=english
delete anything nasty, if you don't feel comfortable doing so then paste it in the thread. Sorry but your link doesn't work and I'm not loading a file from someone with a virus...

turn off system restore when you delete the files, viruses will hide there and restoring to an older point is more than likely not going to help. Run all of your scans in safe mode. I know you said you did one but one of what?

If you know the name of the virus posting that would be helpful

edit: you just pasted another empty link, either copy and paste the entire log in a post or simply remove the things it says are nasty.

crowndroyal · April 30th, 2008, 10:40 PM

Quote:

Originally Posted by RicheemxX

I think I'm must be beating my head against a wall with people today.

Paste your log file here http://www.hijackthis.de/index.php?langselect=english
delete anything nasty, if you don't feel comfortable doing so then paste it in the thread. Sorry but your link doesn't work and I'm not loading a file from someone with a virus...

turn off system restore when you delete the files, viruses will hide there and restoring to an older point is more than likely not going to help

If you know the name of the virus posting that would be helpful

edit: you just pasted another empty link, either copy and paste the entire log in a post you simply remove the things is says are nasty.

system restore is off its always been off i turned it off from day one of building my pc none of the files below were named nasty. look i think your thinking of me as a fool and somoene who dont know what there doing i know what im doing this is the first time i have been infected with somoenething in 4 years on this scale i have neevr used hijackthis nore do i wanna mess with anythign i will do a ss of the file its wanting me to download like ever time i open a new page or go into start menu.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:38 PM, on 4/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\vsnpt513.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SSVHelper - {907C8FB0-1205-4189-99C9-9E8DA884B0B0} - C:\WINDOWS\ssvakus.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\s wg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
--
End of file - 7299 bytes

ss are comming of the actula file its wanting me to download

DOES THIS HELP ANY whats really baffeling me is how google toolbar ect is on there caus ei know i have not installed it with any apps

**RicheemxX** · April 30th, 2008, 11:14 PM

Oddly enough you have the same virus lolper has over here http://www.techimo.com/forum/t207608.html

you might try http://siri.geekstogo.com/SmitfraudFix.php

other than that as I suggested over there, there are some manual removal instructions posted on a few sites. I don't recommend d/l'ing anything from here but you could try this http://www.411-spyware.com/remove-ie-antivirus-3-2

crowndroyal · April 30th, 2008, 11:24 PM

Quote:

Originally Posted by RicheemxX

Oddly enough you have the same lolper has over here http://www.techimo.com/forum/t207608.html

you might try http://siri.geekstogo.com/SmitfraudFix.php

other than that as I suggested over there, there are some manual removal instructions posted on a few sites. I don't recommend d/l'ing anything from here but you could try this http://www.411-spyware.com/remove-ie-antivirus-3-2

well sorry for the double topic aslo did you get a chance to look at my analyzer of the log file ? is there anyhting in there i can actully delte and get rid of ? stuff thats not neccary i seen a few things but wanna dbl check

Rootstonian · April 30th, 2008, 11:37 PM

Better be nice to the Ninja Mod or you will be toast! LOL.

That being said, I strongly suggest a daily backup routine to external drive. Worst case scenario is you lose 24 hours of data/changes.

Been in your situation and paid the price on having to reformat. Now I back up daily to TWO external drives...cheap insurance IMO

crowndroyal · April 30th, 2008, 11:51 PM

Quote:

Originally Posted by Rootstonian

Better be nice to the Ninja Mod or you will be toast! LOL.

That being said, I strongly suggest a daily backup routine to external drive. Worst case scenario is you lose 24 hours of data/changes.

Been in your situation and paid the price on having to reformat. Now I back up daily to TWO external drives...cheap insurance IMO

and im being about as nice as i can concerning my current situation

i cant even google the darn removel page when i try to navigate to it myself i keep getting more malware program spoff site

Rootstonian · April 30th, 2008, 11:52 PM

And YOUR point is? You learned how to quote?