Welcome guest. Before posting on our computer help forum, you must register. Click here it's easy and free.

Author Topic: virus/trojan keep coming back after been deleted by Nod32 & Spybot  (Read 11520 times)

0 Members and 1 Guest are viewing this topic.

atittaya23

    Topic Starter


    Rookie
  • Thanked: 3
    Even after I quarantine all of those bad files that the antivirus and Antispyware recommend, and reboot and then when I ran a scan again soon after, the programs will still find it again  ???

    I have follow the instruction about what to do before posting HJT log. So here they are

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 06/18/2008 at 01:16 AM

    Application Version : 4.15.1000

    Core Rules Database Version : 3469
    Trace Rules Database Version: 1460

    Scan type       : Complete Scan
    Total Scan Time : 00:40:30

    Memory items scanned      : 167
    Memory threats detected   : 0
    Registry items scanned    : 5879
    Registry threats detected : 0
    File items scanned        : 42311
    File threats detected     : 6

    Adware.Tracking Cookie
       C:\Documents and Settings\Mr.Postman\Cookies\[email protected][1].txt
       C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt
       C:\Documents and Settings\Mr.Postman\Cookies\[email protected][2].txt

    ---------------------------------------------------------------------
    Malwarebytes' log next post

    atittaya23

      Topic Starter


      Rookie
    • Thanked: 3
      Quote
      After close  Malwarebytes' Anti-Malware, I receive this from spybot


      what it mean?



      « Last Edit: June 17, 2008, 01:59:19 PM by evilfantasy »

      atittaya23

        Topic Starter


        Rookie
      • Thanked: 3
        Hijackthis log

        Logfile of Trend Micro HijackThis v2.0.2
        Scan saved at 01:29:48, on 18 .. 2008
        Platform: Windows XP SP2 (WinNT 5.01.2600)
        MSIE: Internet Explorer v7.00 (7.00.5730.0011)
        Boot mode: Normal

        Running processes:
        C:\WINDOWS\System32\smss.exe
        C:\WINDOWS\system32\winlogon.exe
        C:\WINDOWS\system32\services.exe
        C:\WINDOWS\system32\lsass.exe
        C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
        C:\WINDOWS\system32\svchost.exe
        C:\WINDOWS\System32\svchost.exe
        C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
        C:\WINDOWS\system32\spoolsv.exe
        C:\WINDOWS\Explorer.EXE
        C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
        C:\Program Files\Eset\nod32kui.exe
        C:\Program Files\QuickTime\qttask.exe
        C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
        C:\WINDOWS\system32\ctfmon.exe
        C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
        C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
        C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
        C:\Program Files\Eset\nod32krn.exe
        C:\WINDOWS\system32\nvsvc32.exe
        C:\Program Files\CyberLink\Shared files\RichVideo.exe
        C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
        C:\Program Files\Internet Explorer\iexplore.exe
        C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
        C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
        R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
        R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
        O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
        O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
        O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
        O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
        O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
        O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
        O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
        O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
        O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
        O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
        O4 - HKLM\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SC3.tmp" /EF "HKLM"
        O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
        O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
        O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
        O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
        O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
        O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
        O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
        O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
        O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
        O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
        O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
        O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
        O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
        O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
        O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
        O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
        O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
        O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
        O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
        O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
        O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
        O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
        O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
        O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
        O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
        O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
        O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
        O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
        O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
        O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
        O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
        O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
        O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
        O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
        O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
        O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
        O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
        O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
        O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
        O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
        O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
        O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
        O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
        O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
        O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

        --
        End of file - 8686 bytes

        evilfantasy

        • Malware Removal Specialist
        • Moderator


        • Genius
        • Calm like a bomb
        • Thanked: 489
        • Experience: Familiar
        • OS: Windows 10
        Quote
        After close  Malwarebytes' Anti-Malware, I receive this from spybot

        That is Tea Timer warning you to the changes.

        Did you allow it?

        The Hijackthis log looks fine, how is everything now?

        atittaya23

          Topic Starter


          Rookie
        • Thanked: 3

          That is Tea Timer warning you to the changes.

          Did you allow it?

          No, I deny it because I'm afraid to change anything or use any other program except SUPERAntispyware Free Edition and Malwarebytes' Anti-Malware. Did I do something wrong?


          The Hijackthis log looks fine, how is everything now?

          Wow, those two programs are pretty impress. Everything seem to be ok now but I'll wait a little bit longer to see if ever I'll receive this message again when running virus scan.


          By the way, I don't know if this relevant but I first run a SUPERAntispyware Free Edition scan at 06:59 PM but after I reboot, I tried to retrieve a scan log as instruction but I can't find it so I thought I must do something wrong. So, i decided to run SUPERAntispyware again in safe mode. And after the second scan finish, I just check a scan while still using in safe mode. That how I find the first log that I can't find before. But I'll show you that first log anyway.
          -----------------------
          First attempt SUPERAntispyware log next post

          atittaya23

            Topic Starter


            Rookie
          • Thanked: 3
            SUPERAntiSpyware Scan Log
            http://www.superantispyware.com

            Generated 06/17/2008 at 06:59 PM

            Application Version : 4.15.1000

            Core Rules Database Version : 3469
            Trace Rules Database Version: 1460

            Scan type       : Complete Scan
            Total Scan Time : 00:52:15

            Memory items scanned      : 172
            Memory threats detected   : 0
            Registry items scanned    : 5853
            Registry threats detected : 6
            File items scanned        : 54515
            File threats detected     : 3

            Registry Cleaner Trial
               HKCR\Install.Install
               HKCR\Install.Install\CLSID
               HKCR\Install.Install\CurVer
               HKCR\Install.Install.1
               HKCR\Install.Install.1\CLSID

            Adware.Vundo Variant/Rel
               HKLM\SOFTWARE\Microsoft\RemoveRP
               C:\WINDOWS\SYSTEM32\MCRH.TMP

            Unclassified.Unknown Origin/System
               C:\D\G\AS\2\CHPSTART.EXE

            Trojan.Unclassified/Loader-Suspicious
               C:\PROGRAM FILES\EVERSTRIKE SOFTWARE\LOCK FOLDER XP 3.6\LOADER.EXE

            ------------------------------------------------------------------------------------------------------------

            evilfantasy

            • Malware Removal Specialist
            • Moderator


            • Genius
            • Calm like a bomb
            • Thanked: 489
            • Experience: Familiar
            • OS: Windows 10
            Download Dr.Web CureIt! & save it to your desktop.
            • Double-click on cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
            • Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
            • Once the short scan has finished, Click Options > Change settings
            • Choose the "Scan tab" and UNcheck "Heuristic analysis"
            • Back at the main window, click "Custom Scan", then "Select drives" (a red dot will show which drives have been chosen).
            • Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
            • When done, a message will be displayed at the bottom advising if any viruses were found.
            • Click "Yes to all" if it asks if you want to cure/move the file.
            • When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
              (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
            • Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
            • Save the DrWeb.csv report to your desktop.
            • Exit Dr.Web Cureit when done.
            • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
            You can use Notepad to open the DrWeb.cvs report by right clicking it and selecting Open with > Notepad

            atittaya23

              Topic Starter


              Rookie
            • Thanked: 3
              Download Dr.Web CureIt! & save it to your desktop.
                Get this instead when I try to click at your link.
                [/list]

                evilfantasy

                • Malware Removal Specialist
                • Moderator


                • Genius
                • Calm like a bomb
                • Thanked: 489
                • Experience: Familiar
                • OS: Windows 10
                Get it HERE

                Click to enlarge.

                atittaya23

                  Topic Starter


                  Rookie
                • Thanked: 3
                  Thank you, I'll do it but since it very late now so I hope you don't mind if I'll continue all this tomorrow. Thank you very much for your help so far  ;D

                  evilfantasy

                  • Malware Removal Specialist
                  • Moderator


                  • Genius
                  • Calm like a bomb
                  • Thanked: 489
                  • Experience: Familiar
                  • OS: Windows 10
                  Re: virus/trojan keep coming back after been deleted by Nod32 & Spybot
                  « Reply #10 on: June 17, 2008, 03:24:29 PM »
                  No worries, we will get it taken care of one way or another.

                  atittaya23

                    Topic Starter


                    Rookie
                  • Thanked: 3
                    Re: virus/trojan keep coming back after been deleted by Nod32 & Spybot
                    « Reply #11 on: June 18, 2008, 01:53:46 PM »
                    Here is DrWeb.cvs report,

                    --------------------------------------------
                    SmitfraudFix.exe\SmitfraudFix\404Fix.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
                    SmitfraudFix.exe\SmitfraudFix\GenericRenosFix.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
                    SmitfraudFix.exe\SmitfraudFix\IEDFix.C.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
                    SmitfraudFix.exe\SmitfraudFix\IEDFix.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;BackDoor.IRC.Chazz.38;;
                    SmitfraudFix.exe\SmitfraudFix\Process.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;Tool.Prockill;;
                    SmitfraudFix.exe\SmitfraudFix\restart.exe;C:\Documents and Settings\Mr.Postman\Desktop\SmitfraudFix.exe;Trojan.Shutdown.47;;
                    SmitfraudFix.exe;C:\Documents and Settings\Mr.Postman\Desktop;Archive contains infected objects;Moved.;
                    slghex.dll;C:\Program Files\Common Files\Sandlot Shared;Adware.SpywareStorm;Moved.;
                    1QK2UVAA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
                    HW1A2AAA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
                    MXDYT1DA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
                    WPPUSVDA.NQF;C:\Program Files\ESET\infected;Trojan.Virtumod.based.16;Deleted.;
                    setup.exe;C:\Program Files\ESET\Install;Trojan.MulDrop.16617;Deleted.;
                    setup.exe;C:\Program Files\ESET\Setup;Trojan.MulDrop.16617;Deleted.;
                    404Fix.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
                    GenericRenosFix.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
                    IEDFix.C.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
                    IEDFix.exe;C:\SmitfraudFix;BackDoor.IRC.Chazz.38;Deleted.;
                    Process.exe;C:\SmitfraudFix;Tool.Prockill;Moved.;
                    restart.exe;C:\SmitfraudFix;Trojan.Shutdown.47;Deleted.;
                    A0004548.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
                    A0004548.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
                    A0004548.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
                    A0004548.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;BackDoor.IRC.Chazz.38;;
                    A0004548.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;Tool.Prockill;;
                    A0004548.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48\A0004548.exe;Trojan.Shutdown.47;;
                    A0004548.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;Archive contains infected objects;Moved.;
                    A0004592.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004595.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004597.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004598.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004600.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;Tool.Prockill;Moved.;
                    A0004602.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP48;Trojan.Shutdown.47;Deleted.;
                    A0004946.exe\SmitfraudFix\404Fix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
                    A0004946.exe\SmitfraudFix\GenericRenosFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
                    A0004946.exe\SmitfraudFix\IEDFix.C.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
                    A0004946.exe\SmitfraudFix\IEDFix.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;BackDoor.IRC.Chazz.38;;
                    A0004946.exe\SmitfraudFix\Process.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;Tool.Prockill;;
                    A0004946.exe\SmitfraudFix\restart.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54\A0004946.exe;Trojan.Shutdown.47;;
                    A0004946.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Archive contains infected objects;Moved.;
                    A0004947.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Trojan.MulDrop.16617;Deleted.;
                    A0004948.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Trojan.MulDrop.16617;Deleted.;
                    A0004949.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004950.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004951.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004952.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;BackDoor.IRC.Chazz.38;Deleted.;
                    A0004953.exe;C:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP54;Trojan.Shutdown.47;Deleted.;
                    mgkruxeb.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.16;Deleted.;
                    squwnqaq.dll;C:\WINDOWS\system32;Trojan.Virtumod.based.16;Deleted.;
                    A0004267.exe;D:\System Volume Information\_restore{4C704DB3-9DCB-414F-9314-E1455FCB9010}\RP38;Trojan.DownLoader.62905;Deleted.;
                    SlgClientServicesRedists.exe\data002;D:\GameHouse\Cake Mania\SlgClientServicesRedists.exe;Adware.SpywareStorm;;
                    SlgClientServicesRedists.exe;D:\GameHouse\Cake Mania;Archive contains infected objects;Moved.;

                    ----------------------------------------------------------------------------
                    New HJT Log next post

                    atittaya23

                      Topic Starter


                      Rookie
                    • Thanked: 3
                      Re: virus/trojan keep coming back after been deleted by Nod32 & Spybot
                      « Reply #12 on: June 18, 2008, 01:55:09 PM »
                      Is my pc clean now?


                      Logfile of Trend Micro HijackThis v2.0.2
                      Scan saved at 19:36:34, on 18 .. 2008
                      Platform: Windows XP SP2 (WinNT 5.01.2600)
                      MSIE: Internet Explorer v7.00 (7.00.5730.0011)
                      Boot mode: Normal

                      Running processes:
                      C:\WINDOWS\System32\smss.exe
                      C:\WINDOWS\system32\winlogon.exe
                      C:\WINDOWS\system32\services.exe
                      C:\WINDOWS\system32\lsass.exe
                      C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
                      C:\WINDOWS\system32\svchost.exe
                      C:\WINDOWS\System32\svchost.exe
                      C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
                      C:\WINDOWS\system32\spoolsv.exe
                      C:\WINDOWS\Explorer.EXE
                      C:\Program Files\Faronics\Deep Freeze\Install C-0\_$Df\FrzState2k.exe
                      C:\Program Files\Eset\nod32kui.exe
                      C:\Program Files\QuickTime\qttask.exe
                      C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
                      C:\WINDOWS\system32\ctfmon.exe
                      C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                      C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
                      C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
                      C:\Program Files\Eset\nod32krn.exe
                      C:\WINDOWS\system32\nvsvc32.exe
                      C:\Program Files\CyberLink\Shared files\RichVideo.exe
                      C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
                      C:\post\postexcel.exe
                      C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
                      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
                      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
                      O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                      O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                      O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
                      O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
                      O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
                      O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
                      O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
                      O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
                      O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
                      O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
                      O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
                      O4 - HKLM\..\Run: [EPSON Stylus C79 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGP.EXE /FU "C:\WINDOWS\TEMP\E_SC3.tmp" /EF "HKLM"
                      O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
                      O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
                      O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
                      O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
                      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
                      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
                      O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
                      O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
                      O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
                      O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
                      O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
                      O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
                      O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
                      O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
                      O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
                      O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
                      O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
                      O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
                      O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
                      O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
                      O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
                      O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
                      O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
                      O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
                      O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
                      O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
                      O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
                      O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
                      O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
                      O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                      O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                      O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                      O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
                      O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
                      O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
                      O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
                      O20 - Winlogon Notify: DfLogon - C:\WINDOWS\SYSTEM32\LogonDll.dll
                      O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
                      O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
                      O23 - Service: DF5Serv - Faronics Corporation - C:\Program Files\Faronics\Deep Freeze\Install C-0\DF5Serv.exe
                      O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
                      O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                      O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
                      O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
                      O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
                      O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
                      O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

                      --
                      End of file - 8582 bytes

                      evilfantasy

                      • Malware Removal Specialist
                      • Moderator


                      • Genius
                      • Calm like a bomb
                      • Thanked: 489
                      • Experience: Familiar
                      • OS: Windows 10
                      Re: virus/trojan keep coming back after been deleted by Nod32 & Spybot
                      « Reply #13 on: June 19, 2008, 12:47:13 PM »
                      Looks good, how is everything now?

                      -----

                      Final steps.

                      Download OTMoveIt2 by OldTimer OTMoveIt2.exe and place it on your desktop. (unless you already have it installed)

                      1. Double click OTMoveIt2.exe to launch it.
                      Vista users right click and choose Run As Administrator
                      2. Click on the CleanUp! button.
                      3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
                      4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
                      5. Once complete exit out of OTMoveIt2

                      ----------

                      Set a New Restore Point to prevent possible reinfection from an old one
                      Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
                      • Go to Start > Programs > Accessories > System Tools and click System Restore
                      • Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
                      • The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
                      • Next go to Start > Run and type Cleanmgr
                      • Click OK
                      • Click the More Options Tab.
                      • Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
                      .
                      ----------

                      Use the Secunia Software Inspector to check for out of date software.
                      • Click Start Now
                      • Check the box next to Enable thorough system inspection.
                      • Click Start
                      • Allow the scan to finish and scroll down to see if any updates are needed.
                      • Update anything listed.
                      .
                      ----------

                      Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update and get all critical updates.

                      If you are running any Microsoft Office version go to the Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

                      ----------

                      Make sure all of your security programs are up to date and run scans with them regularly. Once or twice a week minimum.

                      Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

                      To prevent unknown applications from being installed on your computer install WinPatrol 2008
                      Using Winpatrol to protect your computer from malicious software

                      Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

                      SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
                      *Using SpywareBlaster to protect your computer from Spyware and Malware
                      *If you don't know what ActiveX controls are, see here

                      Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future.

                      Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

                      atittaya23

                        Topic Starter


                        Rookie
                      • Thanked: 3
                        Re: virus/trojan keep coming back after been deleted by Nod32 & Spybot
                        « Reply #14 on: June 19, 2008, 01:49:55 PM »
                        Perfectly  ;D I run a scan again today and NOD 32 found noting, SuperAntiSpyware; nothing accept a fews cookies which were delete with no difficulty,  Malwarebytes'  found no infection. I've so much joy. Thank you for your help  :-* Learning from you was fun and very well educate process. My brain cells were expanded because of you. May you always have a good health and wealth  :D
                        Nancy