hi
avast found these 3 trojans and are in my chest, but i dont know what to do beacuse i saw webdrivers-i wanted to delete but decided to wait for advise and these other 3 file, which i think i should delete-
kernel32.dll
winsock.dll
wsock32.dll

these are the trojans-
Win32:Adware-gen [Adw]
DLL Win32:Spyware-gen [trj]
Win32:Adware-gen [Adw]

FileID: 0000000005 Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\NPWTHOST.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp133062928.tmp\5.DLL

FileID: 0000000004 Original file name: C:\WINDOWS\WT\WEBDRIVER\WTMULTI.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp133062928.tmp\4.DLL

FileID: 0000000006 Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\WTMULTI.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp133062928.tmp\6.DLL

i appreciate any help
-tks

WT may indicate Wild Tangent

google wt webdriver

no rush to delete

you could send to virus total to verify wild tangent

you could run an antispyware scan to see if there is something else out there

you could schedule a “scan on boot” scan with avast

lots of choices

a helper may have you post a HJT to check for additional wild tangent dll’s

The three system files kernel32.dll, winsock.dll, and wsock32.dll are for backup purposes don’t delete.

i have hijack this, should i post the log- i think it is wildtangent-

Virus has been detected!
File Name: WTMULTI.DLL
FileID: 4
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: NPWTHOST.DLL
FileID: 5
Virus Description: Win32:Spyware-gen [trj]

Virus has been detected!
File Name: WTMULTI.DLL
FileID: 6
Virus Description: Win32:Adware-gen [Adw]

i got this by scanning the files in the chest

Move files to temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp
FileID: 0000000005 Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\NPWTHOST.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp\5.DLL
FileID: 0000000004 Original file name: C:\WINDOWS\WT\WEBDRIVER\WTMULTI.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp\4.DLL
FileID: 0000000006 Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\WTMULTI.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp\6.DLL

Scan files in the temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp\4.DLL Win32:Adware-gen [Adw]
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp\5.DLL Win32:Spyware-gen [trj]
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp75284279.tmp\6.DLL Win32:Adware-gen [Adw]

avast found these 3 trojans and are in my chest, but i dont know what to do beacuse i saw webdrivers-i wanted to delete but decided to wait for advise and these other 3 file, which i think i should delete- kernel32.dll winsock.dll wsock32.dll

These are backups of legitimate system files- you should see they are in a separate section- and they should not be confused with any malware detected and moved to the chest: they can be left where they are indefinitely.

yea they are separate in the chest under system files

first
Do Whatever Frank says
just leave those system files alone in the chest for a while as they are backups

what to do with the three baddies? and possible Wild Tangent
so go ahead and post that HJT
just read the instructions closely and do not FIX anything till you hear from Frank or better
if you have an old version of HJT get the latest etc.

ok
heres the kt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:06, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

–
End of file - 4664 bytes

i dont know- this might help a log from

Malwarebytes’ Anti-Malware 1.20
Database version: 944
Windows 5.1.2600 Service Pack 2

7:56:07 PM 7/13/2008
mbam-log-7-13-2008 (19-56-03).txt

Scan type: Quick Scan
Objects scanned: 40465
Time elapsed: 12 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) → No action taken.
HKEY_CLASSES_ROOT\Typelib{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) → No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{58472bc6-bea3-42d4-8917-7a8bcb0711b5} (Trojan.Zlob) → No action taken.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) → No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) → No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler{d1577581-2ed7-469f-99b1-72c1339e0ee0} (Trojan.Zlob) → No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\734914 (Trojan.BHO) → No action taken.

Files Infected:
C:\WINDOWS\wr.txt (Malware.Trace) → No action taken.
C:\Documents and Settings\Jessie Singh\My Documents\My Music\My Music.url (Trojan.Zlob) → No action taken.
C:\Documents and Settings\Jessie Singh\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) → No action taken.
C:\Documents and Settings\Jessie Singh\My Documents\My Videos\My Video.url (Trojan.Zlob) → No action taken.

Nothing obvious in the log, but your Sun Java application needs updating.

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

ok avast found 2 more ny itself i was infected with antispycheck and found it now in superantispyware and removed it before with smithfraud fix or something

Virus has been detected!
File Name: A0087349.DLL
FileID: 7
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: A0087411.EXE
FileID: 8
Virus Description: Win32:Adware-gen [Adw]

Move files to temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp
FileID: 0000000007 Original file name: C:\SYSTEM VOLUME INFORMATION_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0087349.DLL New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp\7.DLL
FileID: 0000000008 Original file name: C:\SYSTEM VOLUME INFORMATION_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP292\A0087411.EXE New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp\8.EXE

Scan files in the temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp\7.DLL Win32:Adware-gen [Adw]
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp\8.EXE\nsis.hdr – no virus –
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp_avast4_\unp169004264.tmp\8.EXE Win32:Adware-gen [Adw]

i updated java,- was required for quicktime but i deleted it, i now use firefox and have ie6 but thinking of deleting it-should i?

also, some extra info
i have Superantispyware and it found antispycheck-(managed to delete)
Rogue.AntiSpyCheck
C:\SYSTEM VOLUME INFORMATION_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0087349.DLL

and was wondering if i should delete or not
i appreciate the help
tks

To clean System Restore:

Create a clean restore point then delete all previous infected restore points

Java comes in useful sometimes, but only you can say if you need it.

Welcome to the forums, bball.

Deleting IE may cause problem you do not want since Windows Explorer also uses some of the same components. Instead, upgrade to IE7 since it is more secure than IE6 even if IE is not your defailt browser. IE is not my default browser neither since I primarily use Opera 9.51 as my default browser.

After following Frank’s suggestions, run HJT again and fix the below entries if they are still present. These entries have no file associations and are therefore not needed.

[b]O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) [/b]

i downloaded ie7, cant i just delete the one i found from superanti…and the other 2 in the avast virus chest or do i have to delete all of my system restores, let me know what u think i should do

If you restore an infected point, you’ll have the infection again.
If you don’t need the restore points (i.e., your computer is working now), better deleting them and create a new, clean, one.

i might it isnt working right now i have the trojans in the virus chest and aybe more and is it safe to delete the 2 restore trojans(mentioned before) in avast chest and the one found in superanti…

Files into Chest are safe to be kept there. No rush to delete them.
To be sure you’re clean, I suggest:

1. (if you want) Disable System Restore and reenable it after step 3.
2. Clean your temporary files.
3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
7. Immunize your system with SpywareBlaster or Windows Advanced Care.
8. Check if you have insecure applications with Secunia Software Inspector.

ok 1)ill delete temp files from internet options
2)scan w avast-and archievefiles-thorogh in safe mode
then delete all system restores w/o creating one if im right
3)use superanti and malware anti-malware and send items to quarantine not delete them
4)test w anti roots provided
5)make a ht log after completing all this
6)immunize w links prvided
i alreadu used secunia
is this right