Download Hijackthis.exe and post the logfile.
Also download RootkitRevealer and post the log as well.
Trojan horse Dropper.Generic.AFNC
So far I used :
AVG 8.0 - updated to latest database
Malwarebytes 1.36 - updated to latest
Uninstalled AVG and installed KasperSky 2009
Uninstalled Kaspersky and installed Avast !
all Four progs find it .. deleted it ... after reboot ... then few hrs later its reappears ...
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
Look Here -> |
Download Hijackthis.exe and post the logfile.
Also download RootkitRevealer and post the log as well.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:50:15 PM, on 18/04/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\StatBar.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Stat Bar 2.46.lnk = C:\StatBar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O17 - HKLM\System\CCS\Services\Tcpip\..\{39F12AF3-B9E5-4141-9874-BA7852C5B85E}: NameServer = 192.168.1.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)
O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 5076 bytes
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
maybe this will help
do you still have the virus as far as i can see there is no trojan dropper...:S
Whats C:\StatBar.exe kill it if not needed
Remove
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - Startup: Stat Bar 2.46.lnk = C:\StatBar.exe
Also what file do the virus checkers find the virus in?
System Information directory????
C: / Documents settings / Network Service / Local Settings / Temporary Internet files/Content.IE5/
files in that folder :
kghcwlrr[1].gif
sgliuxt[1].bmp
always image formats ...
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) <-- where do I remove that ?
O4 - Startup: Stat Bar 2.46.lnk = C:\StatBar.exe <--- always been on pc ..never been issue ..
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
yer tried combofix early on .. appears virus not there as yet ... soon as it shows itself I do another hijackthis and post log here ...
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
If its in images and in temporary internet files odds are they are false positives
Purge the contents of IE cache and then go in manually and delete any files left there.
See if it comes back without opening internet explorer at all (that includes Outlook Express)
false positives <--- was thinking the same when AVG was installed and then tried other 3 progs they come up with same threat ... got me puzzled ..
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
have you tried turning off system restore and scanning in safe mode.........just a thought mate.
Oh and give this trojan remover a try, it's very good.
Hi,
Give SpyBot Search & Destroy a go.
Its free.
I use it with Malawarebytes, which is also free.
Cheers
Gotta hate that......Pesky little Buggers..
For what its worth pull out the bulldozer
I know its a pain but If I ever get a bad one like this I prefer to do a clean install just for the peace of mind.
But it depends on your circumstances I guess.
Good Luck
all sorted now ... was my next door neighbor was infected and he on our lan .. soon as he format and clean his pc's all good now ...
Trust thyself only, and another shall not betray thee.
http://s18.postimage.org/h9xu3rrhx/fb_sevapers.jpg
Bookmarks