Tech Support banner

Status
Not open for further replies.
1 - 8 of 8 Posts

·
Registered
Joined
·
41 Posts
Discussion Starter #1 (Edited)
I've been infected with the trojan "TR/dldr.small.agq.4" and can't seem to get rid of it using AVG, AdAware or SpyBot.

I'm also having severe IE issues at the moment with nearly every page I try to open saying "Page cannot be displayed", and after restarting, shutting down and several other things nothing helps.

This is my HijackThis! log, but it's all I have because the links provided in the 5 steps are all part of the "page cannot be displayed" problem.

Logfile of HijackThis v1.99.1
Scan saved at 8:28:21 PM, on 3/7/2007
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINNT\System32\kernels32.exe
C:\WINNT\System32\adirka.exe
C:\WINNT\System32\dlh9jkd1q2.exe
C:\WINNT\System32\vexg4am1et2.exe
C:\WINNT\System32\vexga4m1et4.exe
C:\WINNT\System32\ma.exe.exe
C:\WINNT\System32\pp.exe.exe
C:\Program Files\Common Files\{A815E3F9-0353-1033-0708-030205220001}\Update.exe
C:\DOCUME~1\CODYRI~1\LOCALS~1\Temp\16.tmp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cody Richardson\My Documents\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Shell Doc Object and Control Helper Class - {00009E9F-DDD7-AA59-AA7D-AA4B7D6BE000} - C:\WINNT\System32\shdocvs.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3815E~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3815E~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3815E~1\Bar888.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [System] C:\WINNT\System32\kernels32.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7AFF394C-11FB-4E86-87BE-CAFB5B1CA520}: NameServer = 85.255.115.238,85.255.112.216
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: CDRecorder031 - {A3BC5E20-0235-1ABF-9CE1-00AA00512031} - (no file)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINNT\System32\aspi68853.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINNT\System32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Windows Management Service - Unknown owner - C:\WINNT\System32\dmdnl.exe
 

·
Registered
Joined
·
41 Posts
Discussion Starter #2
P.S., I forgot to mention that my infection is not allowing me to update my operating system. In another odd event, when I start up, at the login screen is a gray box that says "homebanking.pacu.com", with an OK button and an X in the corner. Clicking X does nothing, clicking OK removes the box. This virus is really messing up my computer
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hello ViralVampire07,

You have a couple of infections onboard and we need to attack them in stages.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it.
  • Click "Next", then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin: Please follow the prompts.
  • You will be asked to reboot your computer: Please do so.
  • Your system may take longer than usual to load and this is normal.
Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

**If you receive an error message while trying to run FixWareout, copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder, and run FixWareout again.

Run HijackThis. Click "Do a System Scan Only" , and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{7AFF394C-11FB-4E86-87BE-CAFB5B1CA520}: NameServer = 85.255.115.238,85.255.112.216
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.238 85.255.112.216



Click FIX CHECKED. Close HijackThis.

-----------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------


Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\fixwareout\report.txt
C:\ComboFix.txt
New HijackThis log
 

·
Registered
Joined
·
41 Posts
Discussion Starter #5
I've gotten through everything except ComboFix. When I open it, it immediately says "ComboFix.exe has generated errors and will be closed by windows. An error log has been created"

No matter how many times I try it does the same thing. What should I do?

I'm going to try running it in safe mode and seeing what happens, I'll let you know.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hi,

No, do not try running it again. Delete that version of ComboFix and download it again please.
 

·
Registered
Joined
·
41 Posts
Discussion Starter #7
I tried downloading it again but got nowhere. Is there another link or another version that you could send me? It'd be greatly appreciated.
 

·
TSF Security Manager, Emeritus
Joined
·
42,837 Posts
Hiya,

The download link is working for me. Download this tool first:

HostsXpert v3.7

Extract all files and double click HostsXpert.exe.
  • In the 'Editing Tools' section, click "Make Hosts Writable?" in the upper right corner (If available).
  • Just below, you will see the 'Backup and Restore' section. Click Restore Microsofts's Hosts File.
  • Click File>Exit
--------------------------------------------------

Now try again to download ComboFix.exe If you still can't get it, please tell me what happens when you click the link.
 
1 - 8 of 8 Posts
Status
Not open for further replies.
Top