A HUGE trojan problem!

hello people,

i'm kind of new to this kinda trojan/virus/worm things. anyway, here is my problem. now i think i'm infected with these trojans:

1: Downloader.Dyfica.H
2: Downloader.Dia.A
3: Trojan.ByteVerify

i have two antivirus programs, namely AVG ANTIVIRUS 6.0 FREE EDITION and NAV 2002. AVG detected it but norton didn't. i tried to repair it with AVG but it couldn't. so i downloaded these programs to help: SpyBot, Tauscan, SpyHunter, Bazooka, and CWS. they did remove some problems but i don't know if my virus is gone... it may still be hiding somewhere. and here is my HIJACK THIS log after doing all those checks and fixes.

Logfile of HijackThis v1.97.7
Scan saved at 6:43:03 PM, on 12/15/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\SLEE401.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Stardock\TrayServer.exe
C:\WINDOWS\tppaldr.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\eAcceleration\systimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Ryan\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ryan Berkeley (AKA JeSuSfReAk)
R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
O1 - Hosts: 203.161.127.141 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe"
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINDOWS\tppaldr.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [sbv3c] C:\unzipped\sbv3c\sbv3c.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [Webcelerator] C:\Program Files\Acceleration Software\Webcelerator\webcel.exe runstart
O4 - HKLM\..\Run: [ddeproc] C:\Program Files\Acceleration Software\Webcelerator\ddeproc.exe
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\Agnitum\TAUSCA~1.6\taumon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Add to filterlist (WebWasher) - http://-Web.Washer-/ie_add
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\PROGRA~1\INTERN~2\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37957.0822800926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D51D18B9-4915-4CCE-BF94-C354F61E55D7}: NameServer = 172.16.1.1

Could you guys please help out? it would be greatly appreciated. thanks.

Ryan

 

Hi ryan423,

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

R3 - URLSearchHook: (no name) - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

O4 - HKLM\..\Run: [sbv3c] C:\unzipped\sbv3c\sbv3c.exe <= unless you know what that is

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [Webcelerator] C:\Program Files\Acceleration Software\Webcelerator\webcel.exe runstart
O4 - HKLM\..\Run: [ddeproc] C:\Program Files\Acceleration Software\Webcelerator\ddeproc.exe
O4 - HKLM\..\Run: [Eac_Download] C:\Program Files\Common Files\eAcceleration\download.exe -k

Then reboot and delete:
C:\Program Files\Acceleration Software <= the entire folder
C:\Program Files\Common Files\eAcceleration <= the entire folder
Then empty your Java cache:
Close all browsers, Start > Settings > Control panel > Java Plugin [version number] > Choose Cache and click remove JAR Cache.

Even if IE is not your most used browser I would advise to get all the available updates for it (including SP1)

Regards,

Pieter

[EDIT] Almost forgot. If you don't know where C:\unzipped\sbv3c\sbv3c.exe came form I would appreciate a copy of that file to the address in my profile. [/EDIT]

 

thanks Pieter . i'll do that. the file "sbc3c.exe" i have no idea where it came from. i suppose it was another sort of trojan. also one more question PIETER, i have a lot of quarantined items in my Norton directory, how i can heal them? since norton can't. thanks.

ryan

 

Hi ryan423,

Is there anything in there that needs "healing"?

I mean, most files in that directory will be virii, trojans and some spyware.
The only thing that would need healing are infected documents or other files that have a normal function, but were altered by malware.

If that is not the case you might as well delete them.

Regards,

Pieter

 

well no not really. there are files in there... i just thought maybe those viruses/spyware/trojans or whatever can reactivite themselves somehow, so i wanted them gone. it's not really a problem tho.. although one virus did give me a treat. lol. called VBS/REDLOF. anyways, thanks for your response.

ryan

 

Hi ryan423,

I don't think the viruses can be reactivated from there. But you can select them all and then delete them. They are just wasting space on your HD anyway.

Regards,

Pieter

 

hey pieter,

yeah ok i'll delete them. thanks again for all your help. and sorry if i sent the wrong "sbv3c" file. i think that .exe file is qurantined. you can reply back to me on that. thanks anyways. also, i have a lot of backup files after fixing the entries in Hijact This. what do i do with them? ok.. thanks for all your help. i'm greatly appreciated.

ryan

 

Hang on to those backups, just in case anything backfires. You can delete them after you have had a few reboots without problems.

Regards,

Pieter

 

I´m having the same trojans Someone can help us!
Thanks!