Trojan.downloader.vbs.bl

Yesterday I stumbled on a **** site disguised as a legit discussion of a **** gland issue. Next thing I have pop-ups everywhere. I have run three separate Bit Defender scans, and each time the same offending files are moved both on the virus scan and the spyware scan. Also, when I delete all internet temp files, the same files show up again.


Bit Defender alerts me that it has kept Trojan.Downloader.VBS.BL from infecting me. Ditto Adware.SystemFileError.? or similar name (have been waiting for msg again, but it's been a while).


My home page has been redirected to Ultimate Cleaner (ucleaner) in Cypress (http://ucleaner.com/support.php?wmid=6010&mid=MjI6Mjo4OQ==) and I am getting two separate spyware alerts continuously wishing to direct me to purchase of the malware. And, if I pause typing for a bit, an IE page opens to WinX Defender.


The following link icons have been placed on my desktop: Spyware & Malware Protection (http://viruswebprotect.com/shandler.php?sid=502&aid=251&pn=5&said=7&sg=2)


Privacy Protector (http://viruswebprotect.com/shandler.php?sid=502&aid=251&pn=5&said=7&sg=0)


and


Error Cleaner (http://viruswebprotect.com/shandler.php?sid=502&aid=251&pn=5&said=7&sg=1)

Comments

  • I need instruction for getting rid of Trojan.Downloader.VBS.BL, Adware.SystemErrorFixer. , and Trojan.FakeAlert.PP. Scans by Bit Defender find and move the viruses/spyware but they immediately regenerate. How do I get rid of the file that is the source of the problem? These do not appear to be in the Virus Encyclopedia.


    I posted earlier but musta said something wrong... no replies. Is there other info I should be offering?

  • Hello,


    I need instruction for getting rid of Trojan.Downloader.VBS.BL, Adware.SystemErrorFixer. , and Trojan.FakeAlert.PP. Scans by Bit Defender find and move the viruses/spyware but they immediately regenerate. How do I get rid of the file that is the source of the problem? These do not appear to be in the Virus Encyclopedia.


    I posted earlier but musta said something wrong... no replies. Is there other info I should be offering?


    Please download this tool: http://www.tehnica.org/BDAspySetup.exe , install it and create a BDAspy SysLog Info (go to "Sys Log Info" and click "Start Enum", it will create a log named "bd_sys_log.xml") , then Zip it and upload it here.


    Post also a scan log from a full system scan with BitDefender.


    Best regards,


    Andrei

  • Thanks, Andrei,


    Will do tomorrow morning... possibly late tonight.


    Charlie

  • Chaz,


    Download HijackThis from: http://www.trendsecure.com/portal/en-US/to...ools/hijackthis


    Run it, Click "Scan", after click "Save Log".


    Save the log, and copy/paste it into your response to this thread.

  • Here's the sys_log, Andrei. I'll have the scan log in an hour or so.


    Thanks again,

    /applications/core/interface/file/attachment.php?id=1575" data-fileid="1575" rel="">bd_sys_log.xml

  • Chaz
    edited February 2008

    Thanks, Chesda. Here is the log.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:34:08 AM, on 2/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\windows\system\hpsysdrv.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Program Files\Softwin\BitDefender10\bdmcon.exe
    C:\Program Files\Softwin\BitDefender10\bdagent.exe
    C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\ehome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\LxrSII1s.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\SearchIndexer.exe
    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    C:\Program Files\Softwin\BitDefender10\vsserv.exe
    C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSTE08.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\SearchProtocolHost.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://google.com
    R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://google.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
    R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O2 - BHO: CmjBrowserHelperObject Object - {07A11D74-9D25-4fea-A833-8B0D76A5577A} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [MPFTray] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
    O4 - HKLM\..\Run: [fontnav] "C:\Program Files\Bitstream\Font Navigator\FontNav.exe" *1
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [MISAggregator] C:\PROGRA~1\McAfee\MCAFEE~1\MisAgg.exe
    O4 - HKLM\..\Run: [msci] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\200722613626_mcinfo.exe /insfin
    O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
    O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
    O4 - HKLM\..\Run: [MMReminderService] C:\Program Files\Mindjet\MindManager 7\MMReminderService.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MSOffice\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
    O9 - Extra button: Microsoft® JavaScript® Console - {717514EF-E482-4155-AB74-29ED1F819F5F} - C:\WINDOWS\system32\COMDLG32.OCX
    O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MSOffice\Office12\REFIEBAR.DLL
    O9 - Extra button: Send to Mindjet MindManager - {941E1A34-C6AF-4baa-A973-224F9C3E04BF} - C:\Program Files\Mindjet\MindManager 7\Mm7InternetExplorer.dll
    O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing)
    O9 - Extra button: Microsoft® JavaScript® Console - {D2C0EE85-ACD4-40E3-B841-9EFA884A8D5F} - C:\WINDOWS\system32\COMDLG32.OCX
    O9 - Extra 'Tools' menuitem: JavaScript Console - {D2C0EE85-ACD4-40E3-B841-9EFA884A8D5F} - C:\WINDOWS\system32\COMDLG32.OCX
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\something.dll (file missing) (HKCU)
    O9 - Extra button: (no name) - {BE2F2769-8A63-4bc7-8A99-06C2C4AD7B9B} - C:\WINDOWS\System32\crtv2_32.dll (file missing) (HKCU)
    O9 - Extra button: (no name) - {D2C0EE85-ACD4-40E3-B841-9EFA884A8D5F} - C:\WINDOWS\System32\jsconsole.dll (file missing) (HKCU)
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab
    O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142635734718
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
    O16 - DPF: {F0FCC76D-767E-4759-A447-62289CA775AA} (Coreport SSO Client) - http://client.dbm.com/v51/ie/controls/CoreportSsoClient.cab
    O21 - SSODL: alofkmn - {7147D072-6C44-4FB0-8F6D-709EDF3109E4} - C:\WINDOWS\alofkmn.dll
    O21 - SSODL: bxlrvps - {3CA4B02A-0AAD-440E-82C4-0C6231F0A482} - C:\WINDOWS\bxlrvps.dll
    O21 - SSODL: BootKernel - {20b85734-a022-4295-bd56-9f9ab695b9e5} - C:\WINDOWS\Installer\{20b85734-a022-4295-bd56-9f9ab695b9e5}\BootKernel.dll
    O22 - SharedTaskScheduler: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - C:\WINDOWS\System32\mtwirl.dll (file missing)
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
    O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

    --
    End of file - 15272 bytes

    /applications/core/interface/file/attachment.php?id=1577" data-fileid="1577" rel="">hijackthis.txt

  • adamian
    edited February 2008

    Please send:


    C:\WINDOWS\alofkmn.dll


    C:\WINDOWS\bxlrvps.dll


    Those detected files are from the websites you're redirected at. Will fix that after you send this two files.


    Forgot to mention: Please create a ZIP archive with the password: infected and send that archive. Thanks.

  • Please send:


    C:\WINDOWS\alofkmn.dll


    C:\WINDOWS\bxlrvps.dll


    Those detected files are from the websites you're redirected at. Will fix that after you send this two files.


    Forgot to mention: Please create a ZIP archive with the password: infected and send that archive. Thanks.


    Attached with password INFECTED [all caps]. Thanks for the help. I am really hampered in using my computer and look forward to a fix.


    Charlie

    /applications/core/interface/file/attachment.php?id=1579" data-fileid="1579" rel="">alofkmn.zip

  • Hi.


    This two files are infected. They were signed as Adware.NetAdware.EH.


    Please send C:\WINDOWS\Installer\{20b85734-a022-4295-bd56-9f9ab695b9e5}\BootKernel.dll too. Sorry I haven't spoted this sonner.

  • adamian
    edited February 2008

    Here is a removal for the first two files:


    1. Send the file I requested in the previous post.


    2. Get Anti-Adware.NetAdware.EH , save it to a folder and extract it there from the zip archive.


    3. Disable virus shield.


    4. Run the tool. (should say infected)


    5. Restart windows.


    6. Re-run the tool. (should say infected)


    7. Restart windows.


    8. Re-run the tool (should say it's clean)


    9. Send us the log the tool creates (it's created in the folder from which you run the removal tool)


    10. Set a new home page in Internet Explorer.


    Clear the temporary files from Internet Explorer


    http://www.microsoft.com/windows/ie/ie6/us...clearcache.mspx


    There could still be problems because I haven't looked at the file I requested in the previous post.


    If there is something unclear please ask.

  • There could still be problems because I haven't looked at the file I requested in the previous post.


    If there is something unclear please ask.


    Andrei,


    Boot kernal zip attached, same password. Moving the other two dlls to Windows Temp stopped the phony alerts from popping up every 10 seconds and allowed me to restore my own home page. I downloaded your utility and it showed clean on the second try, possibly because I had already moved all 3 dlls by that time.


    When I go through the delete temp internet files routine, BD alerts to the trojan.fakealert.pp virus show up each time. I will reattempt by following the link you provided.


    Bolshoi spacebo,


    Charlie

    /applications/core/interface/file/attachment.php?id=1581" data-fileid="1581" rel="">BootKernel.zip

  • I'll take a look on this file soon.


    Disable the virus shield while you clean the cache or temporary files and reenable it after you're done deleting those.

  • I'll take a look on this file soon.


    Disable the virus shield while you clean the cache or temporary files and reenable it after you're done deleting those.


    By virus shield off, I am assuming you mean set Protection Level to Permissive. I did that for both the Antivirus and the Antispyware panels and then ran the Delete Temporary Internet Files IE routine multiple times. Each time I got the same BD alerts that infomed me a half dozen Trojan.FakeAlert.PP viruses were found along with Exploit.Win32.CVE-2004-1305.Gen. The first alert simply flashes, too fast to see, so I couldn't tell you what it is.


    So, if I had Antispyware set to Aggressive and Antivirus set to Default, how did I get hit here. I am assuming this is a new and particularly clever/stealthy routine that you are now devising protection against. Is there anything beyond updating I can do to protect against such attacks? It was a real nosebleed.


    Charlie

  • By virus shield off, I am assuming you mean set Protection Level to Permissive. I did that for both the Antivirus and the Antispyware panels and then ran the Delete Temporary Internet Files IE routine multiple times.


    No, not setting the protection level.


    To disable the virus shield you can go to the BitDefender main window, and chose the Antivirus tab, and than deselect Real-time protection is enabled. But if you managed to clean the Internet Explorer cache there is no need to disable it now.


    Trojan.FakeAlert.PP and Exploit.Win32.CVE-2004-1305.Gen are detected from html pages. It's ok if you deleted them.


    The file (bootkernel) is infected and will be detected soon as Trojan.Dropper.RQN.


    If there are still any more problems/questions please contact us.

  • Andrei,


    Okay, I took down the shield and the trojans that prompted all the alerts in previous efforts to delete temp internet files were removed.


    I removed bootkernal.dll to the temp directory. Do I need to restore it to its old folder? Do I just wait for the new trojan to show up and let BD defeat it? Is there anything else I should do?


    Charlie

  • I removed bootkernal.dll to the temp directory. Do I need to restore it to its old folder? Do I just wait for the new trojan to show up and let BD defeat it? Is there anything else I should do?


    No, that file is malware, you can delete it.


    Remember to re-enable the virus shield.


    Have a nice week,


    Andrei

  • xitrum1985@yahoo.com
    edited March 2008
    Chaz,


    Download HijackThis from: http://www.trendsecure.com/portal/en-US/to...ools/hijackthis


    Run it, Click "Scan", after click "Save Log".


    Save the log, and copy/paste it into your response to this thread.


    Please help me Adamian, I have the same trojan downloader.vbs.bl


    Below is the result after I run HijackThis. Please help me to remove this trojan. Thanks a lot


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 11:02:04 AM, on 3/16/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Windows Defender\MsMpEng.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\brsvc01a.exe


    C:\WINDOWS\system32\brss01a.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Spyware Doctor\pctsAuxs.exe


    C:\Program Files\Spyware Doctor\pctsSvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\VistaDrive\VistaDrive.exe


    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


    C:\Program Files\Windows Defender\MSASCui.exe


    C:\Program Files\Spyware Doctor\pctsTray.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe


    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe


    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe


    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe


    O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot


    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


    O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe


    O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe


    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun


    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide


    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd


    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe


    O4 - HKLM\..\Run: [sBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H7RX6MKB\install_sbd_en[1].exe


    O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet


    O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')


    O4 - Startup: Reboot.exe


    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe


    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm


    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm


    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab


    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab


    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


    O21 - SSODL: altvxvm - {F01E13CC-77E3-4647-B707-13CBB1774370} - C:\WINDOWS\altvxvm.dll


    O21 - SSODL: CheckMon - {ed99177e-9631-413f-986d-4b8f470c2401} - (no file)


    O21 - SSODL: zip - {89c8509f-10b2-4fe2-ab4c-31c33908efac} - (no file)


    O21 - SSODL: SysSrv - {ebff6adf-355a-450d-965f-b3ad830e4f06} - (no file)


    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7838 bytes

  • Chesda
    edited March 2008

    Xi Trum,


    From my observation it appears you have a variant of Vundo Trojan and Smithfraud.


    Run Hijackthis, and do a System Scan. Check and Fix the following entries:


    O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
    O4 - Startup: Reboot.exe
    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
    O21 - SSODL: altvxvm - {F01E13CC-77E3-4647-B707-13CBB1774370} - C:\WINDOWS\altvxvm.dll
    O21 - SSODL: CheckMon - {ed99177e-9631-413f-986d-4b8f470c2401} - (no file)
    O21 - SSODL: zip - {89c8509f-10b2-4fe2-ab4c-31c33908efac} - (no file)
    O21 - SSODL: SysSrv - {ebff6adf-355a-450d-965f-b3ad830e4f06} - (no file)


    Please post another Hijackthis log after you've fixed these.


    Note: Fixing these with Hijackthis may not fix your problem, and you may need to download a genuine Remover Tool


    Best of Luck

  • Please help me Adamian, I have the same trojan downloader.vbs.bl


    Below is the result after I run HijackThis. Please help me to remove this trojan. Thanks a lot


    Hi,


    Please send:


    C:\WINDOWS\VistaDrive\VistaDrive.exe


    C:\Program Files\antiviirus.exe


    C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H7RX6MKB\install_sbd_en[1].exe


    Reboot.exe (search for it, in hidden files too)


    C:\WINDOWS\altvxvm.dll


    Zip them with password infected.


    Please download this tool: http://www.tehnica.org/BDAspySetup.exe , install it and create a BDAspy SysLog Info (go to "Sys Log Info" and click "Start Enum", it will create a log named "bd_sys_log.xml") , then Zip it and upload it here.


    Best regards,


    Andrei

  • xitrum1985@yahoo.com
    edited March 2008

    Hi Andrei ! Thank you for your advice


    here are those file


    I couldnot find the folder Content.ie5 and antiviirus.exe but when I zip the folder temporary internet file, there was a message said that Content.ie5 is using by other program ... etc


    The temporary internet folder is too large (19.8 Mb) so I can not up load it. Can I delete something in that folder before I zip it?

    /applications/core/interface/file/attachment.php?id=1713" data-fileid="1713" rel="">bd_sys_log.zip

    /applications/core/interface/file/attachment.php?id=1714" data-fileid="1714" rel="">Reboot.zip

    /applications/core/interface/file/attachment.php?id=1715" data-fileid="1715" rel="">VistaDrive.zip

    /applications/core/interface/file/attachment.php?id=1716" data-fileid="1716" rel="">altvxvm.zip

  • Hi Andrei ! Thank you for your advice


    here are those file


    I couldnot find the folder Content.ie5 and antiviirus.exe but when I zip the folder temporary internet file, there was a message said that Content.ie5 is using by other program ... etc


    The temporary internet folder is too large (19.8 Mb) so I can not up load it. Can I delete something in that folder before I zip it?


    I don't need all the Content.ie5 folder, just the exe from within. If you can't find the exe, it's ok.


    I'll take a look on the files and give you an answer.

  • adamian
    edited March 2008

    Hi,


    I've signed altvxvm.dll as Trojan.Zlob.CGF (detection should be available soon) and reboot.exe as Trojan.Starter.AF S is clean.


    Go to BDAspy->On Demand->Choose file to clean->Choose from disk and put there C:\WINDOWS\altvxvm.dll


    Choose Force file delete (requires restart) and go with Start clean


    Search for this file and send it if you have it:


    c:\windows\system32\tools\lostrun.exe


    or other files in c:\windows\system32\tools\


    Zip it (them) with password infected and upload them here. If you have any more problems, create another HiJackThis log and send that too.


    Have a nice day,


    Andrei

  • AnTi-ViRuS666
    edited March 2008

    plz help me i have the trojan downloader vbs.bl here my hijack log i forgot to add it also pops u a little bar below ie toolbar saying i have malware or spyware on pc and sometimes makes a beepin noise not through internal speakers either.


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 9:58:38 PM, on 3/18/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\WINDOWS\system32\CTHELPER.EXE


    C:\Program Files\Winamp\winampa.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe


    C:\WINDOWS\system32\DllHost.exe


    C:\Program Files\BitDefender\BitDefender 2008\history.exe


    C:\Program Files\Internet Explorer\IEXPLORE.EXE


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.windstream.net/


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1


    O1 - Hosts: 66.98.148.65 auto.search.msn.com


    O1 - Hosts: 66.98.148.65 auto.search.msn.es


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: RDL Rolex - {83BA32CB-81AD-44A3-A0BE-9924A258931C} - C:\WINDOWS\dkxrstqvql.dll


    O3 - Toolbar: enlfxgw - {C5C1C68B-79A3-461B-BF41-410CF67FABB4} - C:\WINDOWS\enlfxgw.dll (file missing)


    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe


    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe


    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe


    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)


    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB


    O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\DDD Pool\Images\stg_drm.ocx


    O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDST...aller_2-0-0.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1091631361328


    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab


    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1191509893656


    O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\DDD Pool\Images\armhelper.ocx


    O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll


    O21 - SSODL: apdqnxp - {D0B6D890-F93A-4EE2-894E-2D7F20908089} - C:\WINDOWS\apdqnxp.dll


    O21 - SSODL: btrklfr - {9825AC0A-DC04-4CCE-B09E-662B4C290A24} - C:\WINDOWS\btrklfr.dll (file missing)


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm


    --


    End of file - 6369 bytes

  • Hi,


    I've signed altvxvm.dll as Trojan.Zlob.CGF (detection should be available soon) and reboot.exe as Trojan.Starter.AFS.


    Go to BDAspy->On Demand->Choose file to clean->Choose from disk and put there C:\WINDOWS\altvxvm.dll


    Choose Force file delete (requires restart) and go with Start clean


    Search for this file and send it if you have it:


    c:\windows\system32\tools\lostrun.exe


    or other files in c:\windows\system32\tools\


    Zip it (them) with password infected and upload them here. If you have any more problems, create another HiJackThis log and send that too.


    Have a nice day,


    Andrei


    Hi Andrei! I did what you said and here is the file lostrun.exe and the latest HijackThis log.


    I still can not find the file install_sbd_en[1].exe and file antiviirus.exe like you said previously. I think the software trojan remover in my computer delete them already. One more time, I appreciate for helping me on this problem


    sincerely

    /applications/core/interface/file/attachment.php?id=1722" data-fileid="1722" rel="">LostRun.zip

  • AnTi-ViRuS666
    edited March 2008

    I think I got rid of it i just ran hijackthis and deleted every bho hopefully it worked i know it fixed the privacy danger background yay


    EDIT it didnt get rid of the trojan but did get rid of some ie problems so i still need help with trojan downloads vbs.bl thanks

  • To AnTi


    I think I got rid of it i just ran hijackthis and deleted every bho hopefully it worked i know it fixed the privacy danger background yay


    EDIT it didnt get rid of the trojan but did get rid of some ie problems so i still need help with trojan downloads vbs.bl thanks


    Hi,


    Please send this files to us:


    C:\WINDOWS\apdqnxp.dll


    C:\WINDOWS\dkxrstqvql.dll


    to us. (zip, password infected).


    Please download this tool: http://www.tehnica.org/BDAspySetup.exe , install it.


    Go to BDAspy->On Demand->Choose file to clean->Choose from disk and put there C:\WINDOWS\apdqnxp.dll .


    Choose Force file delete (requires restart) and go with Start clean.


    Repeat for C:\WINDOWS\dkxrstqvql.dll .


    If you'll have any more problems please do another HijackList and a BDAspy syslog (info how to do that on this thread) and put the logs here.

  • To Xi Trum


    Hi Andrei! I did what you said and here is the file lostrun.exe and the latest HijackThis log.


    I still can not find the file install_sbd_en[1].exe and file antiviirus.exe like you said previously. I think the software trojan remover in my computer delete them already. One more time, I appreciate for helping me on this problem


    sincerely


    Hi,


    There is no HijackThis log.


    It's ok if you can't find install_sbd_en[1].exe and file antiviirus.exe, maybe they don't exist anymore and just references to it (you could remove them from HijackThis).


    The LostRun.exe is clean, it seems it is from some soundcard installer (it deletes some folders: temp_2 and devices, probably they are used during install).


    Reboot.exe from above is clean too.


    If you have any more problems send another HijackThis log file.


    Regards,


    Andrei


  • To Xi Trum


    Hi,


    There is no HijackThis log.


    It's ok if you can't find install_sbd_en[1].exe and file antiviirus.exe, maybe they don't exist anymore and just references to it (you could remove them from HijackThis).


    The LostRun.exe is clean, it seems it is from some soundcard installer (it deletes some folders: temp_2 and devices, probably they are used during install).


    Reboot.exe from above is clean too.


    If you have any more problems send another HijackThis log file.


    Regards,


    Andrei


    oops sorry, here is the latest hijackThis log


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 6:47:17 PM, on 3/19/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16608)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Windows Defender\MsMpEng.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\brsvc01a.exe


    C:\WINDOWS\system32\brss01a.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


    C:\Program Files\Windows Defender\MSASCui.exe


    C:\Program Files\Spyware Doctor\pctsTray.exe


    C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe


    C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe


    C:\Program Files\Spyware Doctor\pctsAuxs.exe


    C:\Program Files\Spyware Doctor\pctsSvc.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe


    C:\WINDOWS\System32\alg.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local


    O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll


    O4 - HKLM\..\Run: [VistaDrive] C:\WINDOWS\VistaDrive\VistaDrive.exe


    O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot


    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe


    O4 - HKLM\..\Run: [indexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe


    O4 - HKLM\..\Run: [setDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe


    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun


    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide


    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd


    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"


    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe


    O4 - HKLM\..\Run: [sBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H7RX6MKB\install_sbd_en[1].exe


    O4 - HKLM\..\Run: [iSTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"


    O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"


    O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet


    O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"


    O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')


    O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe


    O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm


    O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm


    O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab


    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab


    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


    O21 - SSODL: CheckMon - {ed99177e-9631-413f-986d-4b8f470c2401} - (no file)


    O21 - SSODL: zip - {89c8509f-10b2-4fe2-ab4c-31c33908efac} - (no file)


    O21 - SSODL: SysSrv - {ebff6adf-355a-450d-965f-b3ad830e4f06} - (no file)


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe


    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe


    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7847 bytes

  • I have Trojan.FakeAlert.PP,


    BitDefender Scan can not find it , I have 10 - 20 warnings a day (from BD) saying ' your computer has not been infected ' etc...etc... but when I run a Bit Defender V/S it comes up clean. I have tried Ad-Aware, Trojan Remover and SpybotSD.


    When I follow the install address and try to manually delete it won't let me. As soon as I 'right click' to delete the warning pops up again, and again, and again.........


    I understand it is 'low risk' but I am getting very ######@d off with the constant alerts. Surly BD should be able to find and delete this. If not then why am I paying for your service ?

  • To Delete Malware Manually:


    1. Disable Bitdefender Real Time Protection


    2. Right Click, Delete. BE SURE NOT TO DOUBLE CLICK AS YOU ARE NOT PROTECT


    3. Empty the Recycle Bin


    4. Re-enable Bitdefender Real Time Protection

  • AnTi,


    Run HJT, and check and fix these following entries:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1


    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)


    O2 - BHO: RDL Rolex - {83BA32CB-81AD-44A3-A0BE-9924A258931C} - C:\WINDOWS\dkxrstqvql.dll


    O3 - Toolbar: enlfxgw - {C5C1C68B-79A3-461B-BF41-410CF67FABB4} - C:\WINDOWS\enlfxgw.dll (file missing)


    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)


    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)


    O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)


    O20 - Winlogon Notify: Antiwpa - C:\WINDOWS\SYSTEM32\antiwpa.dll


    O21 - SSODL: apdqnxp - {D0B6D890-F93A-4EE2-894E-2D7F20908089} - C:\WINDOWS\apdqnxp.dll


    O21 - SSODL: btrklfr - {9825AC0A-DC04-4CCE-B09E-662B4C290A24} - C:\WINDOWS\btrklfr.dll (file missing)


    O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe (file missing)


    024 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

  • Xi Trum,


    Please remove from HijackThis the following entries:


    O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe


    O4 - HKLM\..\Run: [sBI] C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\H7RX6MKB\install_sbd_en[1].exe


    O21 - SSODL: CheckMon - {ed99177e-9631-413f-986d-4b8f470c2401} - (no file)


    O21 - SSODL: zip - {89c8509f-10b2-4fe2-ab4c-31c33908efac} - (no file)


    O21 - SSODL: SysSrv - {ebff6adf-355a-450d-965f-b3ad830e4f06} - (no file)


    The files don't exist anymore so this is just for cleanup.


    If you have any more problems tell me. I've seen that you posted another log but you didn't mention if you had any more problems and what were those.


    Sorry for the delayed answer but I was away for a few days.

  • I have Trojan.FakeAlert.PP,


    BitDefender Scan can not find it , I have 10 - 20 warnings a day (from BD) saying ' your computer has not been infected ' etc...etc... but when I run a Bit Defender V/S it comes up clean. I have tried Ad-Aware, Trojan Remover and SpybotSD.


    When I follow the install address and try to manually delete it won't let me. As soon as I 'right click' to delete the warning pops up again, and again, and again.........


    I understand it is 'low risk' but I am getting very ######@d off with the constant alerts. Surly BD should be able to find and delete this. If not then why am I paying for your service ?


    Hi,


    Please do a BDAspy sys log file (instructions are on this page) and a HijackThis log file. Upload the files here.


    You can get support here too: http://www.bitdefender.com/site/KnowledgeBase/getSupport/ (a place dedicated for support). I help on the forum as the time permits to do so.


    The popups are generated because there is probably a malware that is yet undetected by BD. We catch the later problem but we don't yet catch the one that causes it. Please upload those two logs and we'll try to fix it.

  • To Delete Malware Manually:


    1. Disable Bitdefender Real Time Protection


    2. Right Click, Delete. BE SURE NOT TO DOUBLE CLICK AS YOU ARE NOT PROTECT


    3. Empty the Recycle Bin


    4. Re-enable Bitdefender Real Time Protection


    Thanks mate, that did the job


    Kind of obvious really, can't believe I didn't think of it myself - doh !

  • Can I get some help, please?


    I have Trojan.FakeAlert.PP, Every time I open or close my Firefox browser I get a warning. I have gone to the directory listed by BitDefender warning and I am unable to delete this file.


    From reading this thread I have run a HijackThis report and it is as follows


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 8:15:19 PM, on 4/10/2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16640)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe


    C:\Program Files\Common Files\LightScribe\LSSrvc.exe


    C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe


    C:\Program Files\MozyHome\mozybackup.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Vongo\VongoService.exe


    C:\WINDOWS\system32\SearchIndexer.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe


    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe


    C:\WINDOWS\system32\igfxtray.exe


    C:\WINDOWS\system32\hkcmd.exe


    C:\WINDOWS\system32\igfxpers.exe


    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    C:\Program Files\HP\QuickPlay\QPService.exe


    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe


    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe


    C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe


    C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe


    C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\Program Files\DropBox\DropBox\DropBox.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    C:\PROGRA~1\hpq\Shared\HPQTOA~1.EXE


    C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe


    C:\Program Files\Bluetooth Software\BTTray.exe


    C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe


    C:\Program Files\palmOne\Hotsync.exe


    C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe


    C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe


    C:\Program Files\MozyHome\mozystat.exe


    C:\Program Files\Bluetooth Software\BTStackServer.exe


    C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\traywc.exe


    C:\Program Files\Windows Desktop Search\WindowsSearch.exe


    C:\Program Files\stickies\stickies.exe


    C:\Program Files\Vongo\Tray.exe


    C:\PROGRA~1\Webshots\Webshots.scr


    C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe


    C:\Program Files\TechSmith\SnagIt 7\TSCHelp.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\WINDOWS\system32\SearchProtocolHost.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop


    O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll


    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll


    O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file)


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll


    O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"


    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe


    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe


    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe


    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe


    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


    O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"


    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe


    O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup


    O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start


    O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start


    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe


    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe


    O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent


    O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler


    O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\OneTouch\utils\Onetouch.exe


    O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"


    O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"


    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [DropBoxUtility] "C:\Program Files\DropBox\DropBox\DropBox.exe" /s


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')


    O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')


    O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')


    O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')


    O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')


    O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe


    O4 - Startup: Vongo Tray.lnk = ?


    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe


    O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe


    O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\AudibleDownloadHelper.exe


    O4 - Global Startup: BTTray.lnk = ?


    O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe


    O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\palmOne\Hotsync.exe


    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe


    O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe


    O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe


    O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe


    O4 - Global Startup: SnagIt 7.lnk = C:\Program Files\TechSmith\SnagIt 7\SnagIt32.exe


    O4 - Global Startup: traywc.exe


    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe


    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM


    O8 - Extra context menu item: &Webshots Photo Search - res://C:\Program Files\Webshots\WSToolbar4IE.dll/MENUSEARCH.HTM


    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000


    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM


    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll


    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll


    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll


    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll


    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll


    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll


    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=pavilion&pf=laptop


    O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/16.19/uploader2.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab


    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.gamehouse.com/realarcade-webgam...opcaploader.cab


    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe


    O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe


    O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\OneTouch\Utils\SyncServices.exe


    O23 - Service: Vongo Service - Starz Entertainment Group LLC - C:\Program Files\Vongo\VongoService.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 14803 bytes


    Thanks for any help on getting rid of this nuisance!

  • Can I get some help, please?


    I have Trojan.FakeAlert.PP, Every time I open or close my Firefox browser I get a warning. I have gone to the directory listed by BitDefender warning and I am unable to delete this file.


    From reading this thread I have run a HijackThis report and it is as follows


    Hi,


    I haven't noticed anything malware in the log. It's possible that you were redirected to a site with a Fake Alert by some dubious website (saying that your computer is infected although it is not).


    Please do the following:


    Disable Virus Shield.


    Empty Internet Explorer cache (asuming you're using Internet Explorer): http://www.microsoft.com/windows/ie/ie6/us...clearcache.mspx


    Enable Virus Shield again.


    Do a BitDefender scan. If problems persit, please send the virus scanlog and we'll take it from there.


    Have a nice day,


    Andrei

  • Hi! I got the same problem! Please help me too! The main virus seems to be Trojan.Vapsup.M.


    I tried using bitdefender and system mechanics to handle them but they didn't work...why?...


    My log from hijackthis is:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 09:29: VIRUS ALERT!, on 9/4/2008


    Platform: Windows XP SP3 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16705)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\csrss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Nexon\Mabinogi\npkcmsvc.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\WINDOWS\system32\Ati2evxx.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe


    C:\WINDOWS\system32\LVCOMSX.EXE


    C:\Program Files\Logitech\Video\LogiTray.exe


    C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\Program Files\iTunes\iTunesHelper.exe


    C:\WINDOWS\System32\drivers\PhiBtn.exe


    C:\WINDOWS\System32\drivers\Tray900.exe


    C:\Program Files\iolo\System Mechanic 6\SystemGuardAlerter.exe


    C:\Program Files\Logitech\Video\FxSvr2.exe


    C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


    C:\Program Files\iPod\bin\iPodService.exe


    C:\WINDOWS\System32\alg.exe


    C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\PROGRA~1\Softwin\BITDEF~1\bdlite.exe


    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\explorer.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    C:\WINDOWS\system32\wbem\wmiprvse.exe


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop


    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll


    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll


    O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll


    O3 - Toolbar: gksraemq - {F661BA6B-FAF4-4165-A701-F65A7585AC91} - C:\WINDOWS\gksraemq.dll (file missing)


    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe


    O4 - HKLM\..\Run: [updateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r


    O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe


    O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe


    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start


    O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"


    O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE


    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe


    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe


    O4 - HKLM\..\Run: [ioloDelayModule] C:\Program Files\iolo\System Mechanic 6\delay.exe


    O4 - HKLM\..\Run: [bDMCon] C:\PROGRA~1\Softwin\BITDEF~1\bdmcon.exe


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


    O4 - HKLM\..\Run: [PhiBtn] %SystemRoot%\System32\drivers\PhiBtn.exe


    O4 - HKLM\..\Run: [Traymin900] %SystemRoot%\System32\drivers\Tray900.exe


    O4 - HKLM\..\Run: [systemGuardAlerter] SystemGuardAlerter.exe


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic 6\SMSystemAnalyzer.exe"


    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


    O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe


    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll


    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O12 - Plugin for .htm: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll


    O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll


    O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll


    O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll


    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop


    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab


    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab


    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204


    O16 - DPF: {37A273C2-5129-11D5-BF37-00A0CCE8754B} (TTestGenXInstallObject) - http://www.mathxl.com/wizmodules/testgen/i...GenXInstall.cab


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1121544410203


    O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/interact/...ActXInstall.cab


    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab


    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab


    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab


    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab


    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe


    O23 - Service: iolo System Guard (IOLO_SRV) - Unknown owner - C:\Program Files\iolo\System Mechanic 6\IoloSGCtrl.exe


    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe


    O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 11301 bytes

  • Hi! I got the same problem! Please help me too! The main virus seems to be Trojan.Vapsup.M.


    Please send a BitDefender scanlog.


    You could also try to delete the malware using AVIS with the Delete on reboot option. Try this and tell us if it didn't work.


    You can get AVIS here:


    http://www.bitdefender.com/files/Knowledge...file/BDAVIS.exe . After installing it please hit the update button to get the newer files for AVIS.

  • Please send a BitDefender scanlog.


    You could also try to delete the malware using AVIS with the Delete on reboot option. Try this and tell us if it didn't work.


    You can get AVIS here:


    http://www.bitdefender.com/files/Knowledge...file/BDAVIS.exe . After installing it please hit the update button to get the newer files for AVIS.


    Thanks for the response, adamian!


    But...I can't seem to be able to delete it with AVIS. (I scanned my computer, but couldn't find and delete it. Also, when I browse through to try and find the infected file, my C drive doesn't show.)


    My bitdefender shows "clean" in its scanlog; it did not show any viruses. But I still get Trojan.Patched.CK and Trojan.Vapsup.M. Also, I still can't change the deskstop setting because "the system administrator disabled the control panel".


    Is there any other way to get rid of these viruses?


    Thanks!

  • Thanks for the response, adamian!


    But...I can't seem to be able to delete it with AVIS. (I scanned my computer, but couldn't find and delete it. Also, when I browse through to try and find the infected file, my C drive doesn't show.)


    My bitdefender shows "clean" in its scanlog; it did not show any viruses. But I still get Trojan.Patched.CK and Trojan.Vapsup.M. Also, I still can't change the deskstop setting because "the system administrator disabled the control panel".


    Is there any other way to get rid of these viruses?


    Thanks!


    Adamian!


    I searched the web and found a forum that said to download Malwarebytes' Anti-Malware. I downloaded it and it fixed all my problems!!!


    But...I was wondering if you know about it and whether it was a safe software to download (e.g. old malwares replaced by new ones, maybe?)


    Anyways....I just wanted to let you know in case I got myself into bigger trouble.


    Thanks!

  • But...I was wondering if you know about it and whether it was a safe software to download (e.g. old malwares replaced by new ones, maybe?)


    Glad you've fixed the problems.


    Please post a link to the software and we'll be able to tell you if it's clean.


    Regards,


    Andrei

  • Glad you've fixed the problems.


    Please post a link to the software and we'll be able to tell you if it's clean.


    Regards,


    Andrei


    The link is:


    http://www.malwarebytes.org/mbam.php


    I just clicked on the green button that says "Download".


    Thanks!

  • I just clicked on the green button that says "Download".


    It's clean. Sorry for the long delay.