Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
8 Posts
Discussion Starter #1
I have scanned with Antivir,Spybot S&D and Ad-Aware

Antiviri removed about 8 trojans, Ad-aware removed a bunch of adware, and Spybot removed alot spyware. I noticed this PowerScan junk got installed on my computer and is messing it up! Nonetheless after all the scans it looks like i still have the trojans :mad:

Antivir keeps deleting a trojan that keeps poping up repeatedly and its name is:TR/Dldr.Apropo.R.1

Also i noticed some weird programs that were on my program list on start up like:Auf0.exe. I read somewhere that this is a quite dangerous virus also :(

Here is my hijack log someone please help me with deleting the bad stuff

Logfile of HijackThis v1.99.1
Scan saved at 4:06:18 PM, on 10/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\AOL\AOL SPYWARE PROTECTION\AOLSP SCHEDULER.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE
C:\PROGRAM FILES\SURFACCURACY\SACC.EXE
C:\WINDOWS\TEMP\CXTPLS_LOADER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\PROGRAM FILES\CRAM TOOLBAR\UNTITLED.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\UNTITLED.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.3000.1001\EN-US\MSNTB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\PROGRAM FILES\CRAM TOOLBAR\UNTITLED.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PhilipsRemote] D:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\PhilipsRemote.exe
O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
O4 - HKLM\..\Run: [2gIbA5] "C:\WINDOWS\TEMP\CXTPLS_LOADER.EXE" /PC=CP.IST2 /SHUN /UNAR="/CTUN" /PC=CP.IST2 /SHUN /UNAR="/CTUN" /PC=CP.IST2 /SHUN /UNAR="/CTUN" /PC=CP.IST2 /SHUN /UNAR="/CTUN"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - Startup: America Online Tray Icon.lnk = D:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O8 - Extra context menu item: &AOL Toolbar search - res://C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\PROGRAM FILES\AOL TOOLBAR\TOOLBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YPAGER.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net

Thanks in advance
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hi and welcome to TSF.

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst, and I will be back to address your problem A.S.A.P.

Please Subscribe to this thread, (Thread Tools->Subscribe to this Thread) so that you are notified when a reply has been made.

Please be patient with me during this time.

Thanks,

RavenMind
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
Hello, 4am. Thank you for being patient while I reviewed your log!

Important: Copy this page into Notepad & save it. You may also want to print out a copy of these instructions in case you are unable to access Notepad during the fix. Make sure to work through the fixes in the exact order they are presented. If there is anything that you don't understand, ask me about it before proceeding with the fixes. It is important to close all browsers (Internet Explorer, My Computer, etc.) or windows when you are running any scans, tools, or HJT.

I am not finding any instance of "Auf0.exe" in your log. Can you tell me exactly where you found this, and the file's path?


  1. Enable the viewing of hidden files/folders:

    Go to My Computer > View > Folder Options > “View” tab, and make sure that “Show all files” is checked under the “Hidden Files” section. Also make sure there is no checkmark beside “Hide file extensions for known file types”.


  2. Downloads:

    CleanUp!
    Your HJT long indicates you have some malware hiding in the Temp folders. Download and install CleanUp! to clean out your temps, but do not run it yet.


  3. Reboot into Safe Mode.
    Restart the computer. While it’s booting up, tap the F8 key until a numbered menu shows up. Choose “Safe Mode” and press “Enter”, and Windows will continue to load.


  4. End Running Processes:

    Make sure to close any open browsers. Go into HijackThis and click Config > Misc. Tools > Open Process Manager
    Select the following, and click Kill Process for each one that is still listed:

    C:\PROGRAM FILES\SURFACCURACY\SACC.EXE
    C:\WINDOWS\TEMP\CXTPLS_LOADER.EXE



  5. Uninstall Programs:

    Uninstall the following via “Add/Remove”, if they still exist. (Start > Settings > Control Panel > Add/Remove Programs)

    Cram Toolbar
    CtxPls


  6. HiJackThis Entries:

    Run a scan in HijackThis. Place a check mark next to the following entries if they still exist:

    R3 - URLSearchHook: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\PROGRAM FILES\CRAM TOOLBAR\UNTITLED.DLL
    O2 - BHO: XBTB00429 - {1395A06F-EEA0-4445-BA0C-E8B56B48E244} - C:\PROGRA~1\CRAMTO~1\UNTITLED.DLL
    O3 - Toolbar: Cram Toolbar - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - C:\PROGRAM FILES\CRAM TOOLBAR\UNTITLED.DLL
    O4 - HKLM\..\Run: [SurfAccuracy] C:\Program Files\SurfAccuracy\SAcc.exe
    O4 - HKLM\..\Run: [2gIbA5] "C:\WINDOWS\TEMP\CXTPLS_LOADER.EXE" /PC=CP.IST2 /SHUN /UNAR="/CTUN" /PC=CP.IST2 /SHUN /UNAR="/CTUN" /PC=CP.IST2 /SHUN /UNAR="/CTUN" /PC=CP.IST2 /SHUN /UNAR="/CTUN"

    Please make sure to close all open windows & browsers, then click Fix Checked.


  7. File Deletions:

    Delete the following FOLDERS indicated in BLUE, if they still exist:

    C:\PROGRAM FILES\CRAM TOOLBAR\
    C:\Program Files\SurfAccuracy\


  8. Run Cleanup!

    Configure the program as follows:
    1. Click Options...
    2. Move the arrow down to Custom CleanUp!
    3. Put a check next to the following:
      • Empty Recycle Bins
      • Delete Cookies
      • Delete Prefetch files
      • [X]Scan local drives for temporary files (Please uncheck this option)
      • Cleanup! All Users
    4. Click OK
    5. Press the CleanUp! button to start the program. Reboot when prompted.
    * CleanUp! will delete all the files in your temp folders without making a backup!


  9. Online Scan:

    Perform an online scan with Internet Explorer with Kaspersky WebScanner

    Next Click on Launch Kaspersky Anti-Virus Web Scanner

    You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Standard
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
    Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program (AntiVir) while performing the online scan



Please post the following items in your next reply:
  1. Fresh HJT log
  2. Log from Kaspersky
  3. How you found, and the path to “Auf0.exe”
 

·
Registered
Joined
·
8 Posts
Discussion Starter #5 (Edited)
Hi Ravenmind, i apreciated your help very much but i got the problems resolved alittle before you responded.

I will definitly post up again if any other issues come up.

Thank you again!
 

·
Bearded Tech Monkey
Joined
·
1,058 Posts
4am,

Glad to hear you got cleaned up!
I'll have this tread marked as 'Resolved' and post some suggestions below for further reading. If you need any more help, please let us know.

Thanks for visiting TSF!

RavenMind



Preventative Measures:

  1. Use an Alternative Browser. Most of the spyware/viruses/trojans out today target known flaws in I.E. Using an alternative browser closes most of those loopholes & you will find yourself getting far fewer (if any) infections. I'm a fan of FireFox for it's functionality, security, & low demand on system resources. Here are a few of the more popular alternative browsers:
  2. Secure Internet Explorer. If you choose to stay with Internet Explorer, your likelihood of reinfection is much higher. Therefore you should follow these steps to help make I.E. more secure.
    • Don't add sites to the "Trusted Zone". Ever.
    • Download IESpyAd. This will add over 4000 known bad websites to the Restricted Zones list & help prevent you from being redirected to them.
    • Download & install Javacool's SpywareBlaster. This program will help block the download of malicious Active-X controls, block tracking cookies, and add known bad websites to the Restricted Zones list.
  3. Obtain & use a good firewall. Firewalls are important in preventing direct attacks on your system as well as notifying you when you have malware trying to dial out. A few good free firewalls are:
  4. Obtain & use a good AntiVirus program. The best solution to keeping your system clean is to prevent it from becoming infected. Therefore everyone nowadays should have a real-time antivirus program. Unless you go with Ewido, I would suggest against purchasing an AV (especially Norton, which is a resource hog & is nearly impossible to get out of your system once "infected"). There are several good AVs available for download:
  5. Anti-Spyware Programs. You should consider downloading & using the following programs if you haven’t already. I have found for best results, a moderate internet user should use these at least once every two weeks.Important: Please visit this site to learn how to configure & use the preceding programs. And remember to check for updates often!
  6. Keep Windows Updated! Microsoft comes out with patches & security updates all the time. Please remember to visit this site often for updates, or better yet, configure your automatic update feature to do it for you.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top