Tech Support Forum - View Single Post - pls help... infected by trojan.downloader.adload.hd

alanivan · 11-27-2006, 07:57 PM

hi there,

my bit defender pop-up and telling me that my pc infected by trojan.downloader.adload.hd. so can anyone tell me how to remove this trojan? this is my log...

Alan Ivan - 06-11-28 10:54:02.83 Service Pack 2
ComboFix 06.11.2.4W - Running from: "C:\Documents and Settings\Alan Ivan\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 ))))))))))))))))))))))))))))))))))

2006-11-28 00:59 <DIR> dr-h----- C:\Documents and Settings\Alan Ivan\Recent
2006-11-27 00:23 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2006-11-22 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRS Labs
2006-11-22 18:12 <DIR> d-------- C:\Program Files\Common Files\SRS Labs Shared
2006-11-22 18:11 <DIR> d-------- C:\Program Files\SRS Labs
2006-11-22 00:51 <DIR> d-------- C:\Program Files\Admiresoft
2006-11-20 15:19 45,568 --a------ C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys
2006-11-20 15:19 44,416 --a------ C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys
2006-11-20 15:19 37,248 --a------ C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys
2006-11-20 15:19 34,176 --a------ C:\WINDOWS\system32\drivers\SRS_SSCFilter.sys
2006-11-20 15:19 32,000 --a------ C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys
2006-11-17 02:40 <DIR> d-------- C:\Documents and Settings\Alan Ivan\Application Data\Apple Computer
2006-11-17 02:35 <DIR> d-------- C:\Program Files\Apple Software Update
2006-11-16 12:58 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-11-16 12:58 <DIR> d-------- C:\b5aeab04707744a74ff1cb17ed55
2006-11-11 15:19 <DIR> d-------- C:\Downloads
2006-11-06 01:15 <DIR> d-------- C:\Program Files\Registry Doctor
2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-28 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2006-10-28 12:10 <DIR> d--h----- C:\WINDOWS\PIF
2006-10-28 11:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-27 10:34 -------- d-------- C:\Documents and Settings\Alan Ivan\Application Data\iMesh
2006-11-26 17:07 -------- d-------- C:\Program Files\Warcraft III
2006-11-24 02:03 -------- d---s---- C:\Documents and Settings\Alan Ivan\Application Data\Microsoft
2006-11-23 16:44 -------- d-------- C:\Program Files\iMesh Applications
2006-11-22 18:12 -------- d-------- C:\Program Files\Common Files
2006-11-16 12:57 -------- d-------- C:\Program Files\Internet Explorer
2006-11-15 01:48 -------- d-------- C:\Program Files\BitComet
2006-11-11 15:40 -------- d-------- C:\Documents and Settings\Alan Ivan\Application Data\IMVU
2006-11-11 15:19 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2006-10-30 16:16 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-30 16:15 -------- d-------- C:\Program Files\MSN Messenger
2006-10-23 16:18 -------- d-------- C:\Program Files\Messenger Plus! Live
2006-10-23 15:50 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-23 15:50 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-10-21 18:06 -------- d-------- C:\Program Files\Windows Live Safety Center
2006-10-20 21:07 -------- d-------- C:\Program Files\Wizet
2006-10-13 20:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-13 20:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-13 18:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys
2006-10-08 21:38 73728 --a------ C:\WINDOWS\system32\sockspy.dll
2006-10-08 21:36 77824 --a------ C:\WINDOWS\system32\xcomm.dll
2006-10-08 21:23 -------- d-------- C:\Program Files\Softwin
2006-10-08 21:23 -------- d-------- C:\Program Files\Common Files\Softwin
2006-10-08 21:17 -------- d-------- C:\Program Files\WinRAR
2006-09-16 09:01 2508 --a------ C:\Documents and Settings\Alan Ivan\Application Data\$_hpcst$.hpc
2006-09-13 13:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-10 20:44 2816 --a------ C:\Documents and Settings\Alan Ivan\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-08-09 16:49 869 --a------ C:\Documents and Settings\Alan Ivan\Application Data\AdobeDLM.log
2006-08-09 16:49 0 --a------ C:\Documents and Settings\Alan Ivan\Application Data\dm.ini
2006-08-06 22:39 62 --ahs---- C:\Documents and Settings\Alan Ivan\Application Data\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"SRS Audio Sandbox"="\"C:\\Program Files\\SRS Labs\\Audio Sandbox\\SRSSSC.exe\" /hideme"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BDMCon"="C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdmcon.exe"
"BDNewsAgent"="\"C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdnagent.exe\""
"BDSwitchAgent"="\"C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdswitch.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

Completion time: 06-11-28 10:55:40.75
C:\ComboFix.txt ... 06-11-28 10:55

11-27-2006, 07:57 PM	#1 (permalink)
alanivan Registered User Join Date: Nov 2006 Posts: 19 OS: XP	pls help... infected by trojan.downloader.adload.hd hi there, my bit defender pop-up and telling me that my pc infected by trojan.downloader.adload.hd. so can anyone tell me how to remove this trojan? this is my log... Alan Ivan - 06-11-28 10:54:02.83 Service Pack 2 ComboFix 06.11.2.4W - Running from: "C:\Documents and Settings\Alan Ivan\Desktop" ((((((((((((((((((((((((((((((( Files Created from 2006-10-28 to 2006-11-28 )))))))))))))))))))))))))))))))))) 2006-11-28 00:59 <DIR> dr-h----- C:\Documents and Settings\Alan Ivan\Recent 2006-11-27 00:23 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys 2006-11-22 18:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SRS Labs 2006-11-22 18:12 <DIR> d-------- C:\Program Files\Common Files\SRS Labs Shared 2006-11-22 18:11 <DIR> d-------- C:\Program Files\SRS Labs 2006-11-22 00:51 <DIR> d-------- C:\Program Files\Admiresoft 2006-11-20 15:19 45,568 --a------ C:\WINDOWS\system32\drivers\tshd4_kern_i386.sys 2006-11-20 15:19 44,416 --a------ C:\WINDOWS\system32\drivers\Surroundhp_kern_i386.sys 2006-11-20 15:19 37,248 --a------ C:\WINDOWS\system32\drivers\csiidecoder_kern_i386.sys 2006-11-20 15:19 34,176 --a------ C:\WINDOWS\system32\drivers\SRS_SSCFilter.sys 2006-11-20 15:19 32,000 --a------ C:\WINDOWS\system32\drivers\wowhd_kern_i386.sys 2006-11-17 02:40 <DIR> d-------- C:\Documents and Settings\Alan Ivan\Application Data\Apple Computer 2006-11-17 02:35 <DIR> d-------- C:\Program Files\Apple Software Update 2006-11-16 12:58 <DIR> d-------- C:\Program Files\MSXML 4.0 2006-11-16 12:58 <DIR> d-------- C:\b5aeab04707744a74ff1cb17ed55 2006-11-11 15:19 <DIR> d-------- C:\Downloads 2006-11-06 01:15 <DIR> d-------- C:\Program Files\Registry Doctor 2006-11-04 14:14 1,245,696 --a------ C:\WINDOWS\system32\msxml4.dll 2006-10-28 20:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7 2006-10-28 12:10 <DIR> d--h----- C:\WINDOWS\PIF 2006-10-28 11:32 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-11-27 10:34 -------- d-------- C:\Documents and Settings\Alan Ivan\Application Data\iMesh 2006-11-26 17:07 -------- d-------- C:\Program Files\Warcraft III 2006-11-24 02:03 -------- d---s---- C:\Documents and Settings\Alan Ivan\Application Data\Microsoft 2006-11-23 16:44 -------- d-------- C:\Program Files\iMesh Applications 2006-11-22 18:12 -------- d-------- C:\Program Files\Common Files 2006-11-16 12:57 -------- d-------- C:\Program Files\Internet Explorer 2006-11-15 01:48 -------- d-------- C:\Program Files\BitComet 2006-11-11 15:40 -------- d-------- C:\Documents and Settings\Alan Ivan\Application Data\IMVU 2006-11-11 15:19 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll 2006-10-30 16:16 -------- d-------- C:\Program Files\Common Files\Microsoft Shared 2006-10-30 16:15 -------- d-------- C:\Program Files\MSN Messenger 2006-10-23 16:18 -------- d-------- C:\Program Files\Messenger Plus! Live 2006-10-23 15:50 -------- d--h----- C:\Program Files\InstallShield Installation Information 2006-10-23 15:50 -------- d-------- C:\Program Files\Common Files\InstallShield 2006-10-21 18:06 -------- d-------- C:\Program Files\Windows Live Safety Center 2006-10-20 21:07 -------- d-------- C:\Program Files\Wizet 2006-10-13 20:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll 2006-10-13 20:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll 2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll 2006-10-13 18:23 163584 --a------ C:\WINDOWS\system32\drivers\nwrdr.sys 2006-10-08 21:38 73728 --a------ C:\WINDOWS\system32\sockspy.dll 2006-10-08 21:36 77824 --a------ C:\WINDOWS\system32\xcomm.dll 2006-10-08 21:23 -------- d-------- C:\Program Files\Softwin 2006-10-08 21:23 -------- d-------- C:\Program Files\Common Files\Softwin 2006-10-08 21:17 -------- d-------- C:\Program Files\WinRAR 2006-09-16 09:01 2508 --a------ C:\Documents and Settings\Alan Ivan\Application Data\$_hpcst$.hpc 2006-09-13 13:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll 2006-08-10 20:44 2816 --a------ C:\Documents and Settings\Alan Ivan\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log 2006-08-09 16:49 869 --a------ C:\Documents and Settings\Alan Ivan\Application Data\AdobeDLM.log 2006-08-09 16:49 0 --a------ C:\Documents and Settings\Alan Ivan\Application Data\dm.ini 2006-08-06 22:39 62 --ahs---- C:\Documents and Settings\Alan Ivan\Application Data\desktop.ini (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\"" "SRS Audio Sandbox"="\"C:\\Program Files\\SRS Labs\\Audio Sandbox\\SRSSSC.exe\" /hideme" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "BDMCon"="C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdmcon.exe" "BDNewsAgent"="\"C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdnagent.exe\"" "BDSwitchAgent"="\"C:\\PROGRA~1\\Softwin\\BITDEF~1\\bdswitch.exe\"" "TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000001 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\ ff,ff,04,00,00,00 "RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\ 00,00,01,00,00,00 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] HTTPFilter REG_MULTI_SZ HTTPFilter\0\0 LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0 NetworkService REG_MULTI_SZ DnsCache\0\0 DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0 rpcss REG_MULTI_SZ RpcSs\0\0 bthsvcs REG_MULTI_SZ BthServ\0\0 imgsvc REG_MULTI_SZ StiSvc\0\0 termsvcs REG_MULTI_SZ TermService\0\0 Usnsvc REG_MULTI_SZ usnsvc\0\0 Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\AppleSoftwareUpdate.job Completion time: 06-11-28 10:55:40.75 C:\ComboFix.txt ... 06-11-28 10:55