trojan back door program

[pcfool]

ok, let take some time to explain from begining,,,
last week i help a friend of my brother reformat a pc, when he come to me with his CPU, he told me to backup his data first. he told me that his cd writer not working so he can't do a backup. so what i do is i backup his data to my portable hard drive( i know this is stupid and i'll never do it again )
after i completed install windows for his pc. i copy the backup to his pc, and i delete the backup file in my portable hard drive. then i connect the portable hard drive to my pc without doing antivirus scan. the next day y AVG antivirus alert me virus thread found in my pc. at that moment i'm not taking serius about the alert because it already heal by AVG. and i found that my system run normally.
ok, untill this stage, my system using windows 2k sp4. AVG 7.5 free adition. 40 gb IDE seagate as system hard drive, 160gb SATA seagate as data storage hard drive. 40 gb portable usb hard drive. others detail i think not important here.

last sunday my friend ask me to help him test a sound card problem.creative sound blaster X-Fi, (this is another issue, creative forum have thousand of topic regarding it.) because of this, i get a 20gb maxtor hard drive(emty and clean) plug in my system as primary master(my 40gb seagate go to slave) install win xp sp2, ( X-Fi run good on xp sp2, according creative tech guy),install sound card driver and everything needed.
after this, my problem comming, AVG antivirus keep pop up saying that trojan thread found, (in internet temporary folder, file name "DUP5.exe", "c.exe", "w.exe" and many more), i disable system restore, go to safe mode scan all drive with AVG antivirus, and it did found and heal it. reboot and start normal to windows, virus still found again, and my pc very slow. press CTR+ALT+DEL , go to task manager, performance, my cpu usage is 100%, my system didn't running any application at that moment.

help me guy and girl , please, don't tell me to clean out all the drive. i don't care the 20gb maxtor, 40gb seagate or 40gb usb drive, what i care is the 160gb SATA drive. appreciate for any suggestion . Thanks!

[dl65]

 pcfool......  ok ........ You say that you have run AVG in safe mode and it removed some bad stuff ....... good
But the machine is still not running very good ..... Probably there are still some nasties on it .........

Hopefully you still have system restore turned off .........

Next d/l and install ( if you don't already have them ).........
ccleaner ....  http://www.filehippo.com/download_ccleaner/  
Ewido/AVG antispyware ....... http://free.grisoft.com/doc/20/lng/us/tpl/v5
Hijackthis ....... http://www.majorgeeks.com/download3155.html

once these are D/L and installed .........
Run ccleaner from normal mode ....... ( run both the cleaner and the issues ) remove what ever is found .
Next ......reboot into SAFE mode....... and run AVG antispyware ..... remove anything found .
Run AVG anti virus ....as well ...... then run a hijackthis scan and save the logfile ......
Reboot back into normal mode and post the hijackthis log here .

dl65  

[pcfool]

thanks for your reply, i'll try this after work, i in my office now.

[pcfool]

sorry for late reply, i take out the xp sp2, use back win 2k
here's my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:31:24 AM, on 1/25/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\unzipped\hijackthis\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1167445052687
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

[dl65]

 pcfool........

sorry for late reply, i take out the xp sp2, use back win 2k

 

? why would you remove XP/SP2 ? that makes no sense ...... What are you not telling us ?

So , does that mean you reformatted the drive and did a clean install of 2K ?


dl65  

[Fed]

i take out the xp sp2, use back win 2k

pcfool ---->pcgenius

[pcfool]

pcfool........

sorry for late reply, i take out the xp sp2, use back win 2k

 

? why would you remove XP/SP2 ? that makes no sense ...... What are you not telling us ?

So , does that mean you reformatted the drive and did a clean install of 2K ?


dl65  

why i take out the xp sp2? because i install xp sp2 purposely for sound blaster X-Fi testing(as i mention in first post, this is another issue). i'm not reformat my hard drive, my original OS is win 2k, i swap the hard disk to slave, put a 20Gb HD as master and install xp.( is not a legal copy so cannot update.)
i just remove the 20Gb HD, put back my 40GB HD with win 2k as master.

[pcfool]

i take out the xp sp2, use back win 2k

pcfool ---->pcgenius

why you say like that? :-?

[unlovedwarrior]

cuz win 2k is better in some ways then xp.

unlovedwarrior

[patio]

( is not a legal copy so cannot update.)

This is what free winds up getting you...

[Calum]

Only for pirated software though . . . free usually gets you equal or better for other things, like antivirus (think AVG vs. Norton)
Or Linux vs. Windows (in some people's opinion)
Just my random thoughts.

[pcfool]

[highlight]cuz win 2k is better in some ways then xp[/highlight].

unlovedwarrior

agree

[patio]

Only for pirated software though . . . free usually gets you equal or better for other things, like antivirus (think AVG vs. Norton)
Or Linux vs. Windows (in some people's opinion)
Just my random thoughts.

Did you want to discuss semantics...or Symantec's ? ? ?