Win32: Trojan-gen. {VB}

Viruses and worms
1

avast! tells me C:td.exe\Files\IEDRIVER.EXE is infected with Win32: Trojan-gen. {VB}. But, it can’t do anything with it, even when I run a boot time scan. When I try to scan the file with Norton Antivirus, it tells me it doesn’t exist, so I don’t know what to do with it. Any help would be nice.

2

Click on the link in my signature and follow the steps as explained on that page. That should solve it.

3

Spybot and Ad-aware both worked without a problem, and i saved the log file from hijackthis (it’s on the other computer, so i’ll send it later) but when i run avast! it says “Cannot process ‘C:\td\Files\IEDRIVER.EXE’ file”

4

If Avast detects it and ask you what to do, choose “remove at next boot when needed” That should take care of the file.

5

This is the HijackThis logfile. Should i only delete some of these, or fix all of them?

Logfile of HijackThis v1.98.0
Scan saved at 5:07:11 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\kdx\KHost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\WinTools\WSup.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lime_Shop\Limeshop1.exe
C:\Program Files\Lime_Shop\Limeshop0.exe
C:\Program Files\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search200.com/passthrough/index.html?http://my.msn.com/?page=1&refresh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O1 - Hosts: Èi’Èi’’’˜’˜’ ’ ’¨’¨’°’°’¸’¸’À’À’ȒȒВВؒؒà’à’è’è’ð’ð’ø’ø’ ˆ’’’˜’˜’ ’ ’¨’¨’°’°’¸’¸’À’À’ȒȒВВؒؒà’à’è’è’ð’ð’ø’ø’
O1 - Hosts: ’˜’˜’ ’ ’¨’¨’°’°’¸’¸’À’À’ȒȒВВؒؒà’à’è’è’ð’ð’ø’ø’
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {C206CD77-D6B3-CE6E-1471-BDCD2841A864} - C:\PROGRA~1\CITYPO~1\Real regs.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [Limeshop0] “C:\Program Files\Lime_Shop\Limeshop0.exe”
O4 - HKLM..\Run: [BINDLOGO] C:\PROGRA~1\DASHHE~1\save glue.exe
O4 - HKLM..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM..\Run: [WildTangent CDA] RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [BatByteKnobBend] C:\Documents and Settings\All Users\Application Data\surf acid bat byte\platform idle.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Startup: Virtual Bouncer.lnk = ?
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: >>> FREE PORN GALLERIES <<< - javascript:{document.location=‘http://sexmaxx.com/freegalleries.htm’;}
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} - http://www.wildtangent.com/webdrivers/webinstall/Install.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/024d4197f1481c195702/netzip/RdxIE601.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/wildgames/tradewinds/install.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

6

HJT does not show lines like:
Èi’Èi’?’?’?’?’ ’ ’¨’¨’°’°’¸’¸’À’
À’ȒȒВВؒؒà’à’è’è’ð’ð’ø
'ø’ ?’?’?’?’?’ ’ ’¨’¨’°’°
’¸’¸’À’À’ȒȒВВؒؒà
'à’è’è’ð’ð’ø’ø’
O1 - Hosts: ?’?’?’ ’ ’¨’¨’°’°’¸
'¸’À’À’ȒȒВВؒؒà’à’
è’è’ð’ð’ø’ø’

Did something went wrong while copy/paste the log file?

Anyway, this is the result of my HJT log analizer:

================================================================================
Analyzer information

Analyzer version : 3
bad.dat version : 9
good.dat version : 9
rec.dat version : 2

================================================================================
VERSION CHECKING

You are using a old version of Internet Explorer, please update.

================================================================================
GENERAL INFORMATION

All items in the log file which are not shown here
as to be deleted or safe to keep need to be investigated.

This website has a link to a tutorial on the hijackthislog:
http://members.home.nl/acred/cleaning.htm

Also use www.google.com to find out more on items not listed here.

================================================================================
THESE ITEMS SHOULD BE REMOVED:

\program files\common files\wintools\wtoolss.exe
\program files\common files\wintools\wtoolsa.exe
\program files\common files\wintools\wsup.exe
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r0 - hkcu\software\microsoft\internet explorer\toolbar,linksfoldername =
r3 - urlsearchhook: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o2 - bho: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o3 - toolbar: (no name) - {2cde1a7d-a478-4291-bf31-e1b4c16f92eb} - (no file)
o3 - toolbar: (no name) - {339bb23f-a864-48c0-a59f-29ea915965ec} - (no file)
o4 - hklm..\run: [wintools] c:\program files\common files\wintools\wtoolsa.exe
o16 - dpf: {205ff73b-ca67-11d5-99dd-444553540000} - http://www.wildtangent.com/webdrivers/webinstall/install.cab
o16 - dpf: {56336bcb-3d8a-11d6-a00b-0050da18de71} (rdxie class) - http://software-dl.real.com/024d4197f1481c195702/netzip/rdxie601.cab
o16 - dpf: {90c9629e-cd32-11d3-bbfb-00105a1f0d68} (installshield international setup player) - http://www.installengine.com/engine/isetup.cab
o16 - dpf: {ab29a544-d6b4-4e36-a1f8-d3e34fc7b00a} - http://install.wildtangent.com/bgn/partners/wildgames/tradewinds/install.cab
o16 - dpf: {b942a249-d1e7-4c11-98ae-fcb76b08747f} (realarcaderdxie class) - http://games-dl.real.com/gameconsole/bundler/cab/realarcaderdxie.cab
o16 - dpf: {e7dbfb6c-113a-47cf-b278-f5c6af4de1bd} - http://download.abacast.com/download/files/abasetup144.cab
o16 - dpf: {f54c1137-5e34-4b95-95a5-ba56d4d8d743} (secure delivery) - http://www.gamespot.com/kdx22/download/kdx.cab

================================================================================
THESE ITEMS ARE SAFE TO KEEP:

\windows\system32\smss.exe
\windows\system32\winlogon.exe
\windows\system32\services.exe
\windows\system32\lsass.exe
\windows\system32\svchost.exe
\windows\system32\svchost.exe
\windows\system32\spoolsv.exe
\program files\common files\symantec shared\ccevtmgr.exe
\program files\alwil software\avast4\aswupdsv.exe
\program files\alwil software\avast4\ashserv.exe
\program files\norton antivirus\navapsvc.exe
\windows\system32\nvsvc32.exe
\windows\explorer.exe
\program files\synaptics\syntp\syntplpr.exe
\program files\internet explorer\iexplore.exe
\program files\synaptics\syntp\syntpenh.exe
\program files\common files\symantec shared\ccapp.exe
\program files\quicktime\qttask.exe
\program files\common files\real\update_ob\realsched.exe
\windows\kdx\khost.exe
\program files\itunes\ituneshelper.exe
\program files\real\realplayer\realplay.exe
\program files\ipod\bin\ipodservice.exe
\progra~1\alwils~1\avast4\ashdisp.exe
\program files\messenger\msmsgs.exe
o2 - bho: (no name) - {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\sdhelper.dll
o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system32\msdxm.ocx
o3 - toolbar: norton antivirus - {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\navshext.dll
o4 - hklm..\run: [cpqset] c:\program files\hpq\default settings\cpqset.exe
o4 - hklm..\run: [srmclean] c:\cpqs\scom\srmclean.exe
o4 - hklm..\run: [syntplpr] c:\program files\synaptics\syntp\syntplpr.exe
o4 - hklm..\run: [syntpenh] c:\program files\synaptics\syntp\syntpenh.exe
o4 - hklm..\run: [nvcpldaemon] rundll32.exe c:\windows\system32\nvcpl.dll,nvstartup
o4 - hklm..\run: [ccapp] “c:\program files\common files\symantec shared\ccapp.exe”
o4 - hklm..\run: [ccregvfy] “c:\program files\common files\symantec shared\ccregvfy.exe”
o4 - hklm..\run: [quicktime task] “c:\program files\quicktime\qttask.exe” -atboottime
o4 - hklm..\run: [kdx] c:\windows\kdx\khost.exe
o4 - hklm..\run: [ituneshelper] c:\program files\itunes\ituneshelper.exe
o4 - hklm..\run: [avast!] c:\progra~1\alwils~1\avast4\ashdisp.exe
o9 - extra button: aim - {ac9e2541-2814-11d5-bc6d-00b0d0a1de45} - c:\program files\aim\aim.exe

================================================================================
THESE ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR
THE SYSTEM TO WORK, IT IS RECOMMENDED TO REMOVE THEM:

o4 - hkcu..\run: [msmsgs] “c:\program files\messenger\msmsgs.exe” /background

7

Logfile of HijackThis v1.98.0
Scan saved at 6:10:07 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lime_Shop\Limeshop0.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Lime_Shop\Limeshop1.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\hijackthis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50032
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50032
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {C206CD77-D6B3-CE6E-1471-BDCD2841A864} - C:\PROGRA~1\CITYPO~1\Real regs.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [Limeshop0] “C:\Program Files\Lime_Shop\Limeshop0.exe”
O4 - HKLM..\Run: [WildTangent CDA] RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

8

I ran the programs like it says in the link u gave me, but hijackthis still finds the bad processes, and Spybot still finds some problems (even after i fix them, when i run it a few seconds later they are still there)

9

If you followed they instructions on the page I gave you, the things will be gone.
Are you sure you did all steps, like disabling system restore?

10

I did all the steps again, making sure system restore was disabled, and i booted in safe mode, and here are the problems i am left with:
-avast! isn’t able to delete the file C:\td.exe\Files\IEDRIVER.EXE, even when i tell it to remove it at next system startup if necessary, then reboot
-in hijackthis, i can delete all the unwanted things, and while still in safe mode they will remain gone, but when i reboot in normal windows mode after following all the steps, the processes are back, and i can’t delete them with hjt because the processes are running, and i can’t end the processes manually from the task manager (“the operation could not be completed. access is denied.”)
-spybot s&d finds three problems, which it says are data source object exploits, and fixes them, but when i’m still in safe mode and run spybot again, it finds the same three problems again, and again says it fixes them when in fact it does not

11

Hi,

go to controlpanel → Software/programs, and uninstal WINTOOLS/Wtools

reboot to safeMode (F8-Boot), then open & scan with Hijackthis again &
go Config → MiscTools → Process Manager

  • Kill any of the remaining processes of wintools/wtools
  • go back to HJT’s main window and check & fix the remaining Wintools entries…

reboot and post a new log

P.S.: Hijackthis version 1.98.1 is out, please update first…

:wink:

12

I couldn’t go to spywareinfo.com to update hjt, but the version i have seemed to work fine for this. here’s the log file after i rebooted:

Logfile of HijackThis v1.98.0
Scan saved at 9:17:04 AM, on 8/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/default.armx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {C206CD77-D6B3-CE6E-1471-BDCD2841A864} - C:\PROGRA~1\CITYPO~1\Real regs.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [ccRegVfy] “C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\Lime_Shop\Sy700\Tp700\scri700a.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com

Now what should i do about spybot and avast! ?

13

This log looks clean to me. The latest version of HijackThis can be downloaded through the links on my site. If one doesn’t work, try the other. Still having that problem with “C:\td.exe\Files\IEDRIVER.EXE” ?If so try to move it to the chest and delete it from there. If that won’t work either look at these 3 sites:
http://www.softwarepatch.com/tips/howto-delete-xp.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;320081
http://www.noeld.com/programs.asp?cat=misc

14

do you know/need the above entries ?
If not check & fix them with hijackthis…

If they still exist, test the files:
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\Program Files\Common Files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe
with avast-scanner:
if it doesn’t pick them up, please send them in…

be sure to delete the folder
C:\Program Files\Common Files\WinTools\

  • update ad-aware & SPYBOT, scan & fix with them several times, till no more is found (except DSO-Exploit in SPYBOTignore this…)

  • reboot and do a thorough scan with avast (archive scanning enabled)
    → report detailed results

  • Onlinescans with Trend & RAV (see “VirusRemoval”-link below are also advised…

:wink:

15

Wintools is gone, im glad, and here’s what happened with avast!

In safe mode I ran a thorough scan with archive scanning enabled, and it found the file C:\td.exe\Files\IEDRIVER.EXE to have the Win32:Trojan-gen. {VB} virus. Whatever I tried to do (repair, delete, or move to chest) avast! said: “cannot process ‘C:\td.exe\Files\IEDRIVER.EXE’ file”. That was the only file that was infected.

16

Try to remove that folder manually. You may need the help of the pages I gave you earlier. Try it in safe mode, or from the recovery console if those pages still won’t let you remove it.

17

as always:
Google is your friend:

Weblink1

Weblink2

and so on…

:wink:

18

thanks for the help, i got rid of the file finally :slight_smile: