Win32.Adload-LD [Tri]??

"NOTICE: If your computer is infected, you could suffer data loss, erratic PC behaviour, PC freezes and crashes.
Detect and remove viruses before they activate themselves on your PC to prevent all these problems.

Do you want to install TrustedAntivurs to scan your PC for malware now? (Recommended).

Ok/Cancel"

There was also a point - several in fact - where it sounded like an advert was playing in the background. I could hear it plainly through my speakers, but there was nothing to indicate anything on my screen/desktop.

Yesterday I scanned my puter with both Ad-aware and Spybot. They both found things, and I obviously deleted what they found. There was even something marked as ‘new’ in my RegCleaner so I deleted that.

Sorted thought Spike.

StupidSpike.

This morning I boot up and almost instantly I get the same message (quoted above).

I’m now doing a full scan with avast! but as yet it hasn’t’ found anything.

I know where I got this Trojan - it was from an LJ post, but in fairness it’s probably more likely from the website that the post referred to. I’ve left a comment to the effect of “your post has given me a trojan horse”, but as yet I haven’t reported it/them to LJ. I’m not sure whether I can or should, to be honest.

I did a full scan with avast! and it didn’t find anything, but a short time later it came up with a pop-up telling me it had found a Trojan Horse. The trouble is whenever I tried to either ‘move to chest’ or delete it, I got:

“avast! The process cannot access the file because it is being used by another process.”

So in the end, having had no choice, I clicked “no action” (I know that’s a bad thing, but I didn’t know what else to do).

I’m not sure where in the proceedings, I also got the following message:

"Cannot process "C:\Documents and Settings\Mr Cooper\Local Settings\Tempory Internet Files\Content.IE5\TS2JQHXQ\SystemDefender_Installer[1].exe[UPX]“file”

I think it’s called

Win32.Adload-LD [tri]

but a google gave me literally nothing (as did a search for it on CNET.com

I’ve also tried the Avast Worm Cleaner (or whatever it’s called) and it came up with nothing (aside from a few results that read “file cannot be scanned!”).

Any help would be appreciated.

Spike.

:slight_smile: Hi :

Best to START by using the FREE Version of “RogueRemover” available at
www.malwarebytes.org/rogueremover.php .

I certainly hope you have MORE THAN Avast for your security !? Do you have
any antiSPYWARE/antiTROJAN program(s) ? IF no, then I recommend you
get & use the FREE Version of SUPERAntiSpyware from
www.superantispyware.com .

Thanks, I’ve done that. It didn’t tell me that it had found anything - is it supposed to?

As well as avast! I also regularly use (free) ad-aware and spybot, and I also have free SpywareBlaster in the background.

ETA again.

I’m posting this before reading oldman’s post/reply but this was the scanner log. I’ve done nothing with it yet as I don’t want to delete something that’s important:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/07/2008 at 09:24 AM

Application Version : 4.0.1154

Core Rules Database Version : 3415
Trace Rules Database Version: 1407

Scan type : Complete Scan
Total Scan Time : 00:28:01

Memory items scanned : 444
Memory threats detected : 1
Registry items scanned : 5346
Registry threats detected : 29
File items scanned : 12750
File threats detected : 46

Adware.SXGAdvisor-A
C:\WINDOWS\DKXRSTQLKO.DLL
C:\WINDOWS\DKXRSTQLKO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}\InprocServer32
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}\InprocServer32#ThreadingModel
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}\ProgID
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}\Programmable
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}\TypeLib
HKCR\CLSID{5ECF6DEA-D8A3-45D8-91B8-C5D52C1C17D3}\VersionIndependentProgID

Trojan.Smitfraud Variant
HKLM\Software\Classes\CLSID{3750da11-9b0c-4a75-9c8a-bbcbfcd1ccea}
HKCR\CLSID{3750DA11-9B0C-4A75-9C8A-BBCBFCD1CCEA}
HKCR\CLSID{3750DA11-9B0C-4A75-9C8A-BBCBFCD1CCEA}\InProcServer32
HKCR\CLSID{3750DA11-9B0C-4A75-9C8A-BBCBFCD1CCEA}\InProcServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\FFTKTMK.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@208.122.40[3].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@protect.trustedantivirus[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@gomyhit[3].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@sale.trustedantivirus[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@www.googleadservices[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@209.9.174[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@ad.yieldmanager[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@protect.trustedantivirus[3].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@protect.trustedantivirus[4].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@secure.advancedcleaner[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@sixapart.adbureau[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@gomyhit[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@toplist[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@208.122.40[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@www.googleadservices[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@www.system-defender[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@revsci[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@iacas.adbureau[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@trustedantivirus[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@dealtime[1].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@208.122.40[4].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@stat.dealtime[2].txt
C:\Documents and Settings\Mr Cooper\Cookies\mr_cooper@advancedcleaner[2].txt
C:\Documents and Settings\Guest\Cookies\guest@questionmarket[2].txt
C:\Documents and Settings\Guest\Cookies\guest@somasex[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adbrite[1].txt
C:\Documents and Settings\Guest\Cookies\guest@ads.aol.co[2].txt
C:\Documents and Settings\Guest\Cookies\guest@eyewonder[1].txt
C:\Documents and Settings\Guest\Cookies\guest@members.cartoonsexnetwork[1].txt
C:\Documents and Settings\Guest\Cookies\guest@statse.webtrendslive[1].txt
C:\Documents and Settings\Guest\Cookies\guest@revenue[2].txt
C:\Documents and Settings\Guest\Cookies\guest@rotator.adjuggler[1].txt
C:\Documents and Settings\Guest\Cookies\guest@counter4.sextracker[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevolver[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adrevenue[1].txt
C:\Documents and Settings\Guest\Cookies\guest@xiti[1].txt
C:\Documents and Settings\Guest\Cookies\guest@tradedoubler[1].txt
C:\Documents and Settings\Guest\Cookies\guest@247realmedia[1].txt
C:\Documents and Settings\Guest\Cookies\guest@xxx.famous-toons[2].txt
C:\Documents and Settings\Guest\Cookies\guest@media.adrevolver[2].txt
C:\Documents and Settings\Guest\Cookies\guest@xxxcounter[1].txt

Registry Cleaner Trial
HKCR\Install.Install
HKCR\Install.Install\CLSID
HKCR\Install.Install\CurVer
HKCR\Install.Install.1
HKCR\Install.Install.1\CLSID

Trojan.Security Toolbar
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url

Unclassified.Unknown Origin
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad#zip [ {d9bfcedd-23ba-472e-875c-b21807b7641c} ]

Trojan.Media-Codec/V4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Information Center#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#Publisher

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\GUEST\FAVORITES\ONLINE SECURITY TEST.URL

Well that didn’t work… I just had the “your computer could be infected etc” pop-up again.

ETA -

Sorry, I hadn’t tried the second linkything/download when I posted the above, so I’m doing that now.

Hi, if SaS gives no relief, we can go after it with this.

Download both, but run them in the order posted. You can attach the log usin the additional options button on the reply page. you may have to scroll down a bit to see the browse button.

Please download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop

[]Please, never rename Combofix unless instructed.
[
]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause “unpredictable results”.
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don’t know how to disable it, please ask.

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[
]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.


[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the “C:\ComboFix.txt” along with a new HijackThis log for further review.

Note: Do not mouseclick combofix’s window while it’s running. That may cause it to stall

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

All of the SAS scan can be quaratined. Sas took a big chunk out of it. Go ahead with the combofix and HJT.

I’m sorry to be a pain but I’m not sure how to turn certain things off :-[

I can turn avast! and SpywareBlaster off easily enough I think but I’m not sure about

ad-aware
spybot
SuperAntispyware
ePrompter (if that counts)?

Sorry again

Spike.

No problem. There is a link in the instructions that willgive you the info you need. It’s in the quote box below, just click the words “This Link”

[*][i]Click on [url=http://www.bleepingcomputer.com/forums/topic114351.html][b]this link[/b][/url] [color=green]to see a list of programs that should be disabled.

If SAS if the free version it should be on demand only, so not a problem. The instruction for the other 2 (ad-aware spybot) are there. Spybot’s Teatimer is the one.

Sorry for the delay, I’ve been offline.

And apologies it’s not Ad-aware I was having problems with (although that is on my system), it’s a-squared (free).

The free version is non resident so it shouldn’t be a problem.

Ok, thanks.

Please find attached log files for combofix and HijackThis (scanned in that order)

There isn’t a combofix log. To attach mlti attachment, you will have to click the more attachments button beside the browse button after you attach the first one. :slight_smile:

Oopsy… I’ll try that again then… ::slight_smile:

Hi could you please post the other combofix log also, it’s located at c:\combofix

Ok, I hopefully have everything right now. :-\

We’ll start with this.

Open HJT, run a system scan only, check mark these lines if present

O3 - Toolbar: enlfxgw - {BB834DE7-ADD8-49ED-826A-3DE15ED23A44} - C:\WINDOWS\enlfxgw.dll (file missing)
O21 - SSODL: btrklfr - {63C18A31-099F-40DB-80F2-8AF5C16DE66A} - C:\WINDOWS\btrklfr.dll (file missing)
O21 - SSODL: apdqnxp - {CDB2963D-EFFA-4329-8248-08EF9EA25BE9} - C:\WINDOWS\apdqnxp.dll

Close all other browsers/windows, click fix, close HJT.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

I’m posting the contents of the Report.txt now, and will do the next bit and post again.

Report.txt

SDFix: Version 1.158

Run by Mr Cooper on 17/03/2008 at 14:53

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\Installer{57938394-a2c0-4aa7-a3be-8559401c32f2}\SetupMon.dll - Deleted
C:\Program Files\antiviirus.exe - Deleted
C:\WINDOWS\apdqnxp.dll - Deleted
C:\WINDOWS\fqspogw.exe - Deleted

Folder C:\WINDOWS\Installer{57938394-a2c0-4aa7-a3be-8559401c32f2} - Removed

Removing Temp Files

ADS Check :

                             [b]Final Check [/b]:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 15:01:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden services & system hive …

scanning hidden registry entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 184

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\Messenger\msmsgs.exe”="C:\Program Files\Messenger\msmsgs.exe:
:Enabled:Windows Messenger”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe:
:Enabled:Windows Live Messenger 8.1”
“C:\Program Files\MSN Messenger\livecall.exe”=“C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)"
“C:\Program Files\Real\RealPlayer\realplay.exe”="C:\Program Files\Real\RealPlayer\realplay.exe:
:Enabled:RealPlayer”
“C:\Program Files\Internet Explorer\iexplore.exe”=“C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer”

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
“%windir%\system32\sessmgr.exe”=“%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019"
“C:\Program Files\MSN Messenger\msncall.exe”="C:\Program Files\MSN Messenger\msncall.exe:
:Enabled:Windows Live Messenger 8.0 (Phone)”
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe:
:Enabled:Windows Live Messenger 8.1”
“C:\Program Files\MSN Messenger\livecall.exe”=“C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)”

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 28 Oct 2004 1,142,784 A…H. — “C:\My Games\Incadia\Incadia.exe”
Tue 21 Sep 2004 4,348 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv1.bak”
Mon 24 Apr 2006 401 A.SH. — “C:\Documents and Settings\All Users\DRM\DRMv10.bak”
Wed 5 Mar 2008 22,786 …SHR — “C:\WINDOWS\Installer{d9bfcedd-23ba-472e-875c-b21807b7641c}\zip.dll”
Fri 8 Dec 2006 0 A.SH. — “C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp”
Fri 27 Jul 2007 19,456 …H. — “C:\Documents and Settings\Mr Cooper\My Documents\Mum’s bd picz~WRL3077.tmp”
Wed 19 Sep 2007 0 A…H. — “C:\WINDOWS\SoftwareDistribution\Download\393bb6d5cf2f8ddce679d2cc37627398\BIT2.tmp”
Tue 11 Jan 2005 174,592 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Templates~WRL0003.tmp”
Mon 18 Sep 2006 162,816 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Templates~WRL0005.tmp”
Fri 28 Apr 2006 49,152 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Templates~WRL0589.tmp”
Wed 10 Nov 2004 104,960 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Templates~WRL2001.tmp”
Wed 31 May 2006 78,336 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL0004.tmp”
Thu 19 Oct 2006 175,104 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL0063.tmp”
Mon 14 Feb 2005 20,992 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL0584.tmp”
Fri 27 Jul 2007 4,721,152 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL0927.tmp”
Sat 30 Jun 2007 174,080 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL1863.tmp”
Fri 25 Jan 2008 2,074,112 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL2387.tmp”
Wed 6 Jun 2007 271,360 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL2393.tmp”
Wed 6 Jun 2007 246,784 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL2583.tmp”
Mon 14 Feb 2005 19,456 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL2813.tmp”
Sat 30 Jun 2007 199,680 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL3445.tmp”
Sun 20 Jan 2008 283,648 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL3577.tmp”
Wed 6 Jun 2007 273,920 …H. — “C:\Documents and Settings\Mr Cooper\Application Data\Microsoft\Word~WRL3825.tmp”

Finished!

I couldn’t post the two notepad texts as they exceeded the maximum amount of characters allowed on the forum.

I was going to attach them, but I’d closed them and now I’m not sure where my puter has saved them - can you tell me where they are please?

Thanks,

Spike.

c:\Deckard :wink: