Bullguard Antivirus Forum Download A Free Copy Of Bullguard Antivirus Software
Free Antivirus Forum - Learn about antivirus, firewalls and personal security Free Antivirus Forum - Learn about antivirus, firewalls and personal security
 HomeLog InRegisterCommunity CalendarSearch the ForumView The Member ListHelp
Trojan.Win32.VB.ayo
   
BullGuard Antivirus Forum > Virus Removal > Removal Tools > Trojan.Win32.VB.ayo  
Forum Quick Jump
 
New Topic Post reply to : Trojan.Win32.VB.ayo Printable version of : Trojan.Win32.VB.ayo
[ << Previous Thread | Next Thread >> ]

neoragex
New Member


Date Joined Jun 2008
Total Posts : 5
  		   Posted 7-22-2008 7:29 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
any idea how to remove this? im using XP with original KAV 2009, but seem like every time i scan, i need to delete this virus. its keep coming.

virus : Trojan.Win32.VB.ayo

thanks
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13812
  		   Posted 7-23-2008 5:38 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
Hello
 
This is what Trojan.Win32.VB.ayo are
 
 
 
 
I´ll therefore suggest you click here - ->>  http://www.bullguard.com/forum/14/Before-posting-a-log_43561.html 
 
 
After You have run the scan tools -
 
Reboot normally
 
Post Hijackthis log along with SuperAntiSpyware log, C: combofix TXT  in this topic
 
Please copy and paste your log. DO NOT add it as an attachment
Kindly do not annotate or format the log with color or font changes.
 
NB. If you are using any P2P (file sharing) programs, please remove them before we clean your computer.. We do not clean logs that have P2P applications installed as this can cause reinfection during your cleaning.
 

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

neoragex
New Member


Date Joined Jun 2008
Total Posts : 5
  		   Posted 7-24-2008 5:30 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:24 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Krait\razerhid.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Razer\Krait\razerofa.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\ievkbd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Krait] C:\Program Files\Razer\Krait\razerhid.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.3.5.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5590252-9EC1-4D87-99AD-865B8A98014F}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Anti-Virus (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe

--
End of file - 8259 bytes



SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/24/2008 at 12:07 PM

Application Version : 4.15.1000

Core Rules Database Version : 3513
Trace Rules Database Version: 1504

Scan type : Complete Scan
Total Scan Time : 00:20:05

Memory items scanned : 416
Memory threats detected : 0
Registry items scanned : 6214
Registry threats detected : 30
File items scanned : 19529
File threats detected : 2

Unclassified.Oreans32
HKLM\System\ControlSet001\Services\oreans32
C:\WINDOWS\SYSTEM32\DRIVERS\OREANS32.SYS
HKLM\System\ControlSet001\Enum\Root\LEGACY_oreans32
HKLM\System\ControlSet002\Services\oreans32
HKLM\System\ControlSet002\Enum\Root\LEGACY_oreans32
HKLM\System\CurrentControlSet\Services\oreans32
HKLM\System\CurrentControlSet\Enum\Root\LEGACY_oreans32
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Capabilities
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000#Driver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\LogConf
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_OREANS32\0000\Control#ActiveService
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Type
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#Start
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\oreans32#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\oreans32\Enum#NextInstance

Adware.Tracking Cookie
C:\Documents and Settings\user\Cookies\user@adinterax.txt
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13812
  		   Posted 7-24-2008 6:07 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
Please post - C: combofix TXT  log

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

neoragex
New Member


Date Joined Jun 2008
Total Posts : 5
  		   Posted 7-24-2008 6:22 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
ComboFix 08-07-13.11 - user 2008-07-24 13:16:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.603 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: /snapshot

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 12:34 . 2008-07-24 12:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 12:34 . 2008-07-24 12:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-24 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 12:34 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 12:26 . 2008-07-24 12:27 <DIR> d-------- C:\HJT
2008-07-24 11:36 . 2008-07-24 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-24 11:35 . 2008-07-24 11:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-24 11:35 . 2008-07-24 11:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 11:35 . 2008-07-24 11:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-07-23 00:58 . 2008-07-23 00:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-13 04:28 . 2008-07-13 04:28 <DIR> d-------- C:\Program Files\Razer
2008-07-13 04:28 . 2005-12-08 13:43 65,536 --a------ C:\WINDOWS\system32\krait.cpl
2008-07-02 03:29 . 2008-07-16 17:04 14 --a------ C:\WINDOWS\popcinfo.dat
2008-07-02 03:28 . 2008-07-02 03:28 <DIR> d-------- C:\Program Files\PopCap Games
2008-07-02 02:55 . 2008-07-02 02:56 <DIR> d-------- C:\Program Files\Burger Shop v1.0
2008-07-01 18:10 . 2008-07-02 02:07 <DIR> d-------- C:\Program Files\GameHouse
2008-07-01 18:10 . 2008-07-01 18:10 <DIR> d-------- C:\Documents and Settings\user\Application Data\PlayFirst
2008-07-01 18:10 . 2008-07-01 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-06-26 03:01 . 2008-06-26 03:01 <DIR> d-------- C:\WINDOWS\ie8updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 04:20 581,664 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-24 04:20 4,116 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-24 04:20 23,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-24 04:20 2,720,288 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-24 04:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-24 03:44 --------- d-----w C:\Program Files\Wise Registry Cleaner 3
2008-07-24 03:32 --------- d-----w C:\Program Files\BitComet
2008-07-24 02:06 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-07-24 02:06 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-22 16:38 --------- d-----w C:\Program Files\Bluefox Studio
2008-07-19 19:17 --------- d-----w C:\Program Files\Rohan Online
2008-07-12 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-06-29 10:21 --------- d-----w C:\Program Files\CABAL Online (SG MY)
2008-06-27 12:34 975,779,843 ----a-w C:\Program Files\SilkroadOnline_GlobalOfficial_v1_150.exe
2008-06-21 21:45 --------- d-----w C:\Program Files\Warcraft III
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 16:37 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-15 15:14 --------- d-----w C:\Program Files\Neffy
2008-06-14 12:35 --------- d-----w C:\Program Files\Winamp
2008-06-13 18:39 --------- d-----w C:\Program Files\Xilisoft
2008-06-13 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-13 13:49 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-06-13 13:44 --------- d-----w C:\Program Files\Google
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 06:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 12:35 --------- d-----w C:\Program Files\Wise Disk Cleaner
2008-06-06 11:01 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-06 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-31 18:27 --------- d-----w C:\Documents and Settings\user\Application Data\DMCache
2008-05-27 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-05-26 16:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-08 04:50 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 10:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 16:32 222504]
"Krait"="C:\Program Files\Razer\Krait\razerhid.exe" [2007-02-16 17:44 126976]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Files Updater

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-09-01 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2007-02-16 17:44 126976 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-08-24 06:15 8478720 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-08-24 06:15 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-11-06 10:58 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-08-24 06:15 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\CABAL Online (SG MY)\\Launcher\\update\\ESTdnheadless.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"C:\\Program Files\\Rohan Online\\rohanclient.exe"=
"E:\\Application\\SRO_NEW_Full-Client_Downloader.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\x1337x\\Rohanbot.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\Miki\\Rohanbot.exe"=
"E:\\Silkroad\\Bot\\srobot.exe"=
"E:\\Silkroad\\SilkErrSender.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26102:TCP"= 26102:TCP:BitComet 26102 TCP
"26102:UDP"= 26102:UDP:BitComet 26102 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 17:27]
S3 NTProcDrv;Process creation detector for NT.;E:\Silkroad\Bot\NtProcDrv.sys [2005-02-24 06:08]
S3 XDva132;XDva132;C:\WINDOWS\system32\XDva132.sys []
S3 XDva165;XDva165;C:\WINDOWS\system32\XDva165.sys []
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva170;XDva170;C:\WINDOWS\system32\XDva170.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88ec03f-cd63-11dc-904c-b892dd44d70c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3208366-e380-11dc-8cfe-001d72472371}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a1c35a-ce23-11dc-904f-001d7243034e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 13:18:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\System32\CSCDLL.dll
.
Completion time: 2008-07-24 13:19:58
ComboFix-quarantined-files.txt 2008-07-24 05:19:50
ComboFix2.txt 2008-07-24 04:23:43

Pre-Run: 47,379,374,080 bytes free
Post-Run: 47,366,709,248 bytes free

179 --- E O F --- 2008-07-11 14:04:41
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13812
  		   Posted 7-24-2008 7:15 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
Open notepad and copy/paste the text in the quote box below into it:
Quote:
-----------------------------------------------------
KILLALL::
 
Snapshot::
 
File::
C:\WINDOWS\System32\CSCDLL.dll

 
Driver::
XDva132
XDva165
XDva167
XDva170
XDva177
 
 
----------------------------------------------
 
Save this as CFScript.txt
 
http://www.fromsej.saknet.dk/billeder/cfscript.gif
 
At this point, You MUST EXIT ALL BROWSERS NOW before continuing!
Referring to the picture above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system.
It may reboot your system when it finishes. This is normal.
 
 
Post new hijackthis log along with fresh combofix log
 

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Post Edited (Touch) : 24-07-2008 06:41:13 GMT

Back to Top
 

neoragex
New Member


Date Joined Jun 2008
Total Posts : 5
  		   Posted 7-24-2008 7:50 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
ComboFix 08-07-13.11 - user 2008-07-24 14:42:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.649 [GMT 8:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\user\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\System32\CSCDLL.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\System32\CSCDLL.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-24 to 2008-07-24 )))))))))))))))))))))))))))))))
.

2008-07-24 12:34 . 2008-07-24 12:34 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 12:34 . 2008-07-24 12:34 <DIR> d-------- C:\Documents and Settings\user\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-24 12:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 12:34 . 2008-07-23 20:09 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 12:34 . 2008-07-23 20:09 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 12:26 . 2008-07-24 13:26 <DIR> d-------- C:\HJT
2008-07-24 11:36 . 2008-07-24 11:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-24 11:35 . 2008-07-24 11:35 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-24 11:35 . 2008-07-24 11:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-24 11:35 . 2008-07-24 11:35 <DIR> d-------- C:\Documents and Settings\user\Application Data\SUPERAntiSpyware.com
2008-07-23 00:58 . 2008-07-23 00:58 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-07-13 04:28 . 2008-07-13 04:28 <DIR> d-------- C:\Program Files\Razer
2008-07-13 04:28 . 2005-12-08 13:43 65,536 --a------ C:\WINDOWS\system32\krait.cpl
2008-07-02 03:29 . 2008-07-16 17:04 14 --a------ C:\WINDOWS\popcinfo.dat
2008-07-02 03:28 . 2008-07-02 03:28 <DIR> d-------- C:\Program Files\PopCap Games
2008-07-02 02:55 . 2008-07-02 02:56 <DIR> d-------- C:\Program Files\Burger Shop v1.0
2008-07-01 18:10 . 2008-07-02 02:07 <DIR> d-------- C:\Program Files\GameHouse
2008-07-01 18:10 . 2008-07-01 18:10 <DIR> d-------- C:\Documents and Settings\user\Application Data\PlayFirst
2008-07-01 18:10 . 2008-07-01 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a------ C:\WINDOWS\system32\drivers\bthmodem.sys
2008-06-29 00:14 . 2004-08-03 23:10 38,016 --a--c--- C:\WINDOWS\system32\dllcache\bthmodem.sys
2008-06-26 03:01 . 2008-06-26 03:01 <DIR> d-------- C:\WINDOWS\ie8updates

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-24 06:44 589,856 --sha-w C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-24 06:44 4,144 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-24 06:44 23,380 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-24 06:44 2,720,288 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-24 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-24 03:44 --------- d-----w C:\Program Files\Wise Registry Cleaner 3
2008-07-24 03:32 --------- d-----w C:\Program Files\BitComet
2008-07-24 02:06 96,559 ----a-w C:\WINDOWS\system32\drivers\klin.dat
2008-07-24 02:06 87,855 ----a-w C:\WINDOWS\system32\drivers\klick.dat
2008-07-22 16:38 --------- d-----w C:\Program Files\Bluefox Studio
2008-07-19 19:17 --------- d-----w C:\Program Files\Rohan Online
2008-07-12 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-11 14:44 --------- d-----w C:\Documents and Settings\user\Application Data\AdobeUM
2008-06-29 10:21 --------- d-----w C:\Program Files\CABAL Online (SG MY)
2008-06-27 12:34 975,779,843 ----a-w C:\Program Files\SilkroadOnline_GlobalOfficial_v1_150.exe
2008-06-21 21:45 --------- d-----w C:\Program Files\Warcraft III
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 16:37 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-06-15 15:14 --------- d-----w C:\Program Files\Neffy
2008-06-14 12:35 --------- d-----w C:\Program Files\Winamp
2008-06-13 18:39 --------- d-----w C:\Program Files\Xilisoft
2008-06-13 16:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-06-13 13:49 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-06-13 13:44 --------- d-----w C:\Program Files\Google
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-07 06:01 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-06 12:35 --------- d-----w C:\Program Files\Wise Disk Cleaner
2008-06-06 11:01 --------- d-----w C:\Program Files\Kaspersky Lab
2008-06-06 10:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-31 18:27 --------- d-----w C:\Documents and Settings\user\Application Data\DMCache
2008-05-27 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-05-26 16:15 --------- d-----w C:\Program Files\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\user\Application Data\Yahoo!
2008-05-26 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-08 04:50 830,464 ----a-w C:\WINDOWS\system32\wininet.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-25 10:22 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-09-01 08:00 15360]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-09-13 16:32 222504]
"Krait"="C:\Program Files\Razer\Krait\razerhid.exe" [2007-02-16 17:44 126976]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe" [2008-04-25 18:21 201992]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitComet
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\System Files Updater

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2008-04-23 02:08 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
-ra------ 2005-10-07 14:13 176128 C:\Program Files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-09-01 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Krait]
--a------ 2007-02-16 17:44 126976 C:\Program Files\Razer\Krait\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
--a------ 2008-05-27 21:58 4269296 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-08-24 06:15 8478720 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-08-24 06:15 81920 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2006-11-06 10:58 159744 C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-02-22 21:42 3537968 C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-08-24 06:15 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\CABAL Online (SG MY)\\Launcher\\update\\ESTdnheadless.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 2009\\English\\setup.exe"=
"C:\\Program Files\\Rohan Online\\rohanclient.exe"=
"E:\\Application\\SRO_NEW_Full-Client_Downloader.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\x1337x\\Rohanbot.exe"=
"C:\\Documents and Settings\\user\\Desktop\\RohanBotEn1.0.8b\\Miki\\Rohanbot.exe"=
"E:\\Silkroad\\Bot\\srobot.exe"=
"E:\\Silkroad\\SilkErrSender.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26102:TCP"= 26102:TCP:BitComet 26102 TCP
"26102:UDP"= 26102:UDP:BitComet 26102 UDP

R0 klbg;Kaspersky Lab Boot Guard Driver;C:\WINDOWS\system32\drivers\klbg.sys [2008-01-29 18:29]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2008-03-25 20:07]
R3 krait03;Razer krait USB Filter Driver;C:\WINDOWS\system32\Drivers\krait.sys [2005-12-07 17:27]
S3 NTProcDrv;Process creation detector for NT.;E:\Silkroad\Bot\NtProcDrv.sys [2005-02-24 06:08]
S3 XDva132;XDva132;C:\WINDOWS\system32\XDva132.sys []
S3 XDva165;XDva165;C:\WINDOWS\system32\XDva165.sys []
S3 XDva167;XDva167;C:\WINDOWS\system32\XDva167.sys []
S3 XDva170;XDva170;C:\WINDOWS\system32\XDva170.sys []
S3 XDva177;XDva177;C:\WINDOWS\system32\XDva177.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a88ec03f-cd63-11dc-904c-b892dd44d70c}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b3208366-e380-11dc-8cfe-001d72472371}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - G:\Flash.10.Setup.exe
\Shell\Open\command - G:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - G:\Scanner.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d6a1c35a-ce23-11dc-904f-001d7243034e}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Sys.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e6e346ec-5947-11dd-8e37-001e377228e3}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Flash.10.Setup.exe
\Shell\Explore\command - F:\Flash.10.Setup.exe
\Shell\Open\command - F:\Flash.10.Setup.exe
\Shell\Scan for Viruses\command - F:\Scanner.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 14:46:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Krait\razerofa.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-24 14:48:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-24 06:48:47
ComboFix2.txt 2008-07-24 05:19:58
ComboFix3.txt 2008-07-24 04:23:43

Pre-Run: 47,330,660,352 bytes free
Post-Run: 47,318,220,800 bytes free

204 --- E O F --- 2008-07-11 14:04:41
Back to Top
 

Touch
Forum Moderator




Date Joined Jun 2004
Total Posts : 13812
  		   Posted 7-24-2008 8:33 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
Please download:
  http://swandog46.geekstogo.com/avenger2/avenger.zip
 
 
Right click on the Avenger.zip folder and select "Extract to Avenger...
 
You will now have an Avenger folder on your desktop.
 
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing Ctrl+C
Quote:
 
Drivers to unload:
XDva132
XDva165
XDva167
XDva170
XDva177
 
 
Make sure the Scan for rootkits is checked ...
& the Automatically disable any rootkits found is NOT checked ...

Click on Execute

Answer "Yes" twice when prompted.

 After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
 
Please copy/paste the content of C:\avenger.txt into your reply, and tell how things are running now ?

Do NOT post your problem in someone elses thread.
Member of - Alliance of Security Analysis Professionals
Please do NOT PM me any logs. They will be deleted

Back to Top
 

neoragex
New Member


Date Joined Jun 2008
Total Posts : 5
  		   Posted 7-29-2008 1:47 (GMT +1)    Quote: Trojan.Win32.VB.ayoAlert an admin about: Trojan.Win32.VB.ayo
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Driver "XDva132" deleted successfully.
Driver "XDva165" deleted successfully.
Driver "XDva167" deleted successfully.
Driver "XDva170" deleted successfully.
Driver "XDva177" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


firstly, sry for late reply.
i made a full scan before i posted this, KAV still found :
c:\system volume information\restore{F563DEB7-4C56-4CF7-81FB-E69EB8C6D788}\RP111\A0029498.exe/PE_Patch.UPX/UPX <-- as Trojan.Win32.VB.ayo
e:\system volume information\_restore{f563deb7-4c56-4cf7-81fb-e69eb8c6d788}\rp110\a0029245.dll <--- Packed.Win32.CryptExe
e:\system volume information\_restore{f563deb7-4c56-4cf7-81fb-e69eb8c6d788}\rp111\a0029500.dll <--- Packed.Win32.CryptExe


after made all ur steps above, my IE back to normal (asked it on other thread). Thanks.
On your next reply, please assist me to clean my thumbdrive. using my friend laptop at work since i need to 'clean' mine, his KAV found Trojan.Win32.VB.ayo in my thumbdrive but not detected by my KAV before. (hes using a cracked but im using original that what make me feels worse)

p/s:
1. can u teach me/us in this forum how to avoid this trojan?
2. i always scan first any usb include mine before i run it, if my antivirus found virus/trojan in it, is my laptop infected even though im not running it?

Post Edited (neoragex) : 29-07-2008 12:50:11 GMT

Back to Top
 
New Topic Post reply to : Trojan.Win32.VB.ayo Printable version of : Trojan.Win32.VB.ayo
 
Forum Information
Currently it is Tuesday, December 02, 2008 11:10 PM (GMT +1)
There are a total of 64.507 posts in 15.908 threads.
In the last 3 days there were 17 new threads and 84 reply posts. View Active Threads
Who's Online
This forum has 27322 registered members. Please welcome our newest member, imezeguy.
35 Guest(s), 1 Registered Member(s) are currently online.  Details
JHT
5 Latest Threads
Need virus removal help - malwarebytes etc (5)02-12-2008 19:12:25 (Jonathan_ll)
Help please !!!!! (0)02-12-2008 18:12:57 (RERAZOR)
Trojan Horse Downloader Generic EPY (0)02-12-2008 17:40:36 (ah ying)
Command Service (8)02-12-2008 17:11:50 (yogendra)
Virtrigger removal (10)02-12-2008 15:16:23 (JHT)


Need Support? Write to: | Forum Help Manual

Download free trial version of Bullguard