infected by trojan downloader

[ssk_the_gr8]

my friends pc has been infected by trojan downloader
could u'll plz look at the hijackthis logfile & help out

he has avg installed but no anti spyware
the system is so slow that i cant even install adaware or any other anti- spyware
plz help

Logfile of HijackThis v1.99.1
Scan saved at 2:33:19 PM, on 1/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Winamp\winampa.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
D:\Program Files\Huawei\MT841\dslagent.exe
D:\WINDOWS\system32\spoolsvv.exe
D:\Program Files\Messenger\msmsgs.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
C:\Windows\xpupdate.exe
D:\WINDOWS\system32\slserv.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - D:\WINDOWS\system32\imtqodk.dll (file missing)
O2 - BHO: CyberDefender Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - D:\Documents and Settings\Administrator\Local Settings\Application Data\cdstbar\sssTbar.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - D:\Program Files\BHO Plugin\plugin.dll (file missing)
O2 - BHO: 0 - {A4E3C284-F562-44B3-F487-3460F0B8F101} - D:\Program Files\MSN Gaming Zone\lavug.dll (file missing)
O2 - BHO: 0 - {B4E00BBC-2704-4171-2DAF-9C2635BF65B9} - D:\Program Files\MSN Gaming Zone\lavug.dll (file missing)
O3 - Toolbar: CyberDefender Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - D:\Documents and Settings\Administrator\Local Settings\Application Data\cdstbar\sssTbar.dll
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 D:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\Huawei\MT841\dslagent.exe
O4 - HKLM\..\Run: [spoolsvv] D:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [wdokbye.dll] D:\WINDOWS\system32\rundll32.exe "D:\Documents and Settings\Administrator\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinMedia] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2330640.exe
O4 - HKCU\..\Run: [WinUpdate] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2337312.exe
O4 - HKCU\..\Run: [WinInit] "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2335140.exe "
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "e:\Program Files\CyberDefender\AntiSpyware\cdas2.exe" /minimize
O8 - Extra context menu item: &Search - *edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk570YYIN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - *ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralFWBInitialSetup1.0.0.15.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{587646F6-1E8D-4D87-BFEC-36D96451CB57}: NameServer = 218.248.255.193 218.248.255.161
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winsys2freg - D:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Unknown owner - D:\oracle\ora90\bin\xsolap.exe (file missing)
O23 - Service: Oracle OLAP Agent - Unknown owner - D:\oracle\ora90\bin\xsaagent.exe (file missing)
O23 - Service: OracleOraHome90Agent - Unknown owner - D:\oracle\ora90\bin\agntsrvc.exe (file missing)
O23 - Service: OracleOraHome90ClientCache - Unknown owner - D:\oracle\ora90\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - D:\oracle\ora90\Apache\Apache\Apache.exe (file missing)
O23 - Service: OracleOraHome90PagingServer - Unknown owner - D:\oracle\ora90/bin/pagntsrv.exe (file missing)
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora90\BIN\ENCSVC.EXE (file missing)
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora90\BIN\AGNTSVC.EXE (file missing)
O23 - Service: OracleOraHome90TNSListener - Unknown owner - D:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - D:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe (file missing)

 

[n2casey]

I didn't analyzed the whole report but fix all related to MyWebSearch.

 

[Vishal Gupta]

Fix these:

D:\WINDOWS\system32\spoolsvv.exe
C:\Windows\xpupdate.exe
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - D:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - D:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
O2 - BHO: (no name) - {41F328E2-5E46-F5B8-0160-020188931F32} - D:\WINDOWS\system32\imtqodk.dll (file missing)
O2 - BHO: CyberDefender Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - D:\Documents and Settings\Administrator\Local Settings\Application Data\cdstbar\sssTbar.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - D:\Program Files\BHO Plugin\plugin.dll (file missing)
O2 - BHO: 0 - {A4E3C284-F562-44B3-F487-3460F0B8F101} - D:\Program Files\MSN Gaming Zone\lavug.dll (file missing)
O2 - BHO: 0 - {B4E00BBC-2704-4171-2DAF-9C2635BF65B9} - D:\Program Files\MSN Gaming Zone\lavug.dll (file missing)
O3 - Toolbar: CyberDefender Security Toolbar - {68FF9E0F-2E96-4467-87FA-1A8B9734C7E7} - D:\Documents and Settings\Administrator\Local Settings\Application Data\cdstbar\sssTbar.dll
O4 - HKLM\..\Run: [spoolsvv] D:\WINDOWS\system32\spoolsvv.exe
O4 - HKLM\..\Run: [wdokbye.dll] D:\WINDOWS\system32\rundll32.exe "D:\Documents and Settings\Administrator\Local Settings\Application Data\wdokbye.dll",bpzgoi
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [WinMedia] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2330640.exe
O4 - HKCU\..\Run: [WinUpdate] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2337312.exe
O4 - HKCU\..\Run: [WinInit] "D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2335140.exe "
O8 - Extra context menu item: &Search - *edits.mywebsearch.com/toolbar...p=ZNxmk570YYIN
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - *ak.exe.imgfarm.com/images/noc...up1.0.0.15.cab
O20 - Winlogon Notify: winsys2freg - D:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

 

[ssk_the_gr8]

will tell him to do it & then inform u'll

 

[anandk]

infected.

D:\WINDOWS\system32\spoolsvv.exe is a Searchcentrix hijacker
C:\Windows\xpupdate.exe is a worm
also cyberdefender is considered as a rogue anti-spy
woah theres a lot more !!

i suggest u scan ur pc in SAFE MODE with a-squared anti-malware www.emisoft.com or avg (ewido) anti-malware www.grisoft.com

u also need to scan ur pc with : RogueRemover is a great new utility that can remove various rogue antispyware, antivirus and hard drive cleaning utilities as also rogue registry cleaners. detailed here at *www.thinkdigit.com/forum/showthread.php?t=11292&highlight=stay+away+rogue

 

[ssk_the_gr8]

the problem seems to be back pc is super slow again here's a new scan

should my friend uninstall oracle - all oracle files seem to be missing?

Logfile of HijackThis v1.99.1
Scan saved at 9:07:16 PM, on 2/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\oracle\ora90\BIN\TNSLSNR.exe
D:\WINDOWS\system32\igfxtray.exe
D:\WINDOWS\system32\hkcmd.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Winamp\winampa.exe
D:\WINDOWS\system32\slserv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Huawei\MT841\dslagent.exe
D:\WINDOWS\system32\kernels88.exe
D:\Program Files\Messenger\msmsgs.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2330640.exe
C:\Windows\xpupdate.exe
D:\WINDOWS\system32\dlh9jkd1q6.exe
D:\WINDOWS\system32\dlh9jkd1q7.exe
D:\WINDOWS\system32\wuauclt.exe
D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] D:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] D:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 D:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] D:\Program Files\Huawei\MT841\dslagent.exe
O4 - HKLM\..\Run: [System] D:\WINDOWS\system32\kernels88.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "E:\Program Files\CyberDefender\AntiSpyware\cdas2.exe" /minimize
O4 - HKCU\..\Run: [WinMedia] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2330640.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: igfxcui - D:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Oracle OLAP 9.0.1.0.1 (OLAPServer) - Unknown owner - D:\oracle\ora90\bin\xsolap.exe (file missing)
O23 - Service: Oracle OLAP Agent - Unknown owner - D:\oracle\ora90\bin\xsaagent.exe (file missing)
O23 - Service: OracleOraHome90Agent - Unknown owner - D:\oracle\ora90\bin\agntsrvc.exe (file missing)
O23 - Service: OracleOraHome90ClientCache - Unknown owner - D:\oracle\ora90\BIN\ONRSD.EXE (file missing)
O23 - Service: OracleOraHome90HTTPServer - Unknown owner - D:\oracle\ora90\Apache\Apache\Apache.exe (file missing)
O23 - Service: OracleOraHome90PagingServer - Unknown owner - D:\oracle\ora90/bin/pagntsrv.exe (file missing)
O23 - Service: OracleOraHome90SNMPPeerEncapsulator - Unknown owner - D:\oracle\ora90\BIN\ENCSVC.EXE (file missing)
O23 - Service: OracleOraHome90SNMPPeerMasterAgent - Unknown owner - D:\oracle\ora90\BIN\AGNTSVC.EXE (file missing)
O23 - Service: OracleOraHome90TNSListener - Unknown owner - D:\oracle\ora90\BIN\TNSLSNR.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - D:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TCP and UDP Supp0rt - Unknown owner - D:\WINDOWS\system32\tccpip.exe (file missing)
O23 - Service: Visibroker Smart Agent (xsSmartAgent) - Unknown owner - D:\oracle\ora90\bin\osagent.exe (file missing)

 

[alsiladka]

D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2330640.exe
C:\Windows\xpupdate.exe
D:\WINDOWS\system32\dlh9jkd1q6.exe
D:\WINDOWS\system32\dlh9jkd1q7.exe​

These are the Unneeded files.

O4 - HKLM\..\Run: [My Web Search Bar] rundll32 D:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [System] D:\WINDOWS\system32\kernels88.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] D:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [WinMedia] D:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2330640.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe​

These are the Infected files being run on start up.

Ask him to run MSCONFIG and uncheck the above files which are being run on start up and Using task manager, end the above processed.

After that ask him to install Spybot - search and destroy as well as AdAware Personal Edition and scan his computer completely. He will be relieved of the trojan Menace.

 

[anandk]

D:\WINDOWS\system32\kernels88.exe is a nasty trojan.
C:\Windows\xpupdate.exe is agn a nasty spyware dataminer
D:\WINDOWS\system32\dlh9jkd1q6.exe and D:\WINDOWS\system32\dlh9jkd1q7.exe are malware too !

scan ur pc with AdAware or a-squared anti-malware in safe mode.

or u can use 'delete doctor' from www.diskcleaners.com to safely delete these 4 processes on re-boot.

also then use 'ccleaner' to clear up ur temp junk and residual registry entries.

 

[ssk_the_gr8]

have told him to do all the stuff u'll said lets see what happens..