darn keenval virus

Discussion in 'adware, spyware & hijack cleaning' started by bennieboy2290, Jun 7, 2004.

Thread Status:
Not open for further replies.
  1. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    ok so i got this pop-up from AVG saying that you have a trojan horse downloader.keenval.A-E(ive gotten different ones)

    i downloaded and ran the ad-aware and i ran the hijackthis

    this is the log that hijackthis made:

    Logfile of HijackThis v1.97.7
    Scan saved at 6:58:14 PM, on 6/7/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\carpserv.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\FarStone\VirtualDrive\VDTask.exe
    C:\WINDOWS\vcdplayx.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\PROGRA~1\PESTPA~1\PPControl.exe
    C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Winamp\winampa.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Grisoft\AVG6\avgcc32.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\AIM95\aim.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\WINDOWS\FSScrCtl.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.computerstop.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = adfgdfgdfg:5432
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: 203.161.127.141 www.dcsresearch.com
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {2A13E7C4-B914-4944-9B10-F3141D8BA715} - C:\WINDOWS\system32\tlpjsv.dll (file missing)
    O2 - BHO: (no name) - {77955675-1321-4773-9322-47DEF6E6B154} - C:\WINDOWS\system32\moz030715s.dll (file missing)
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
    O4 - HKLM\..\Run: [CARPService] carpserv.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
    O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [reg_nuvision_ax] C:\WINDOWS\System32\Regsvr32 /s NUVision.ax
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
    O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    O4 - HKLM\..\Run: [NVCLOCK] rundll32 nvclock.dll,fnNvclock
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
    O4 - HKCU\..\Run: [Extreme Messenger for AIM] C:\Program Files\Extreme Messenger\ExtremeMessenger.exe nosplash
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
    O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.computerstop.com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
    O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,55/mcinsctl.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/288e7bb26927754cb505/netzip/RdxIE601.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.1/del/loader.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37740.4878125
    O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.madonion.com/global/msc34.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
    Last edited by a moderator: Jun 7, 2004
  2. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    can someone check it out? im gettin the pop-up like every 3 min.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Well, the HijackThis log review people are not always here, but let's get some more information first...

    What file does it say is infected anyway? What is the exact message it gives you? And, have you tried running the full AVG scan to see what it finds? (Note that the location and name of the files found are important, especially if it turns out the file or files are in the System Restore area.)
     
  4. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    it says trojan horse downloader.keenval.C

    its in C:/system volume information/_restore{a bunch of numbers that ill put next time i see it}.exe

    I have ran the full AVG test and it didnt catch it. next time it pops up, ill put the full name, but for now, i dont remember the numbers.

    thx a lot for your help
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Ah, it is what I suspected. Those are files stuck in the System Restore area. (AVG is very good at alerting about malware in there.) No anti-virus can clean entries from the System Restore area because it is protected by Windows. What you need to do is cycle System Restore, which will empty it out completely - deleting the bad files in the process. See this overview:

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

    Basically turning it off and on again deletes all old restore points, including the malware. That will stop the constant alerts from AVG's resident scanner.
     
  6. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    i did it and i think it worked.

    thx a lot!!
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You need to replace that entry in your hostsfile with this IP
    64.91.255.87 www.dcsresearch.com
    It is placed with your TDS installation to make sure the F5 brings you immediately to the DiamondCS forum; in the meantime they changed location and IP address so with that change you're up to date again.
     
    Last edited: Jun 9, 2004
  8. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    im sorry but whato_O? i didnt understand what you said, imma noob
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Start > find/search > HOSTS
    you should see your HOSTS file, not the Hosts.sam
    Open HOSTS in wordpad or notepad
    add this line
    64.91.255.87 www.dcsresearch.com
    save, close

    You can also get to the HOSTS file via
    TDS > System Analysis > View file > Network Hosts
    and edit the HOSTS file there.

    As long as that line is there so using the F5 key from TDS or the Forum option ion the menu brings you in the DiamondCS forum and not on that other sitename which is no longer DiamondCS's.
    It's only a help, no obligation :)
     
  10. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    ok so now that the virus is out of the way, do u think someone could check my hijackthis? no one has yet
     
  11. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi bennieboy2290,

    Note that there might be some differences with your current log. If you are unsure it is better to ask then to gamble. ;)

    Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
    O2 - BHO: (no name) - {2A13E7C4-B914-4944-9B10-F3141D8BA715} - C:\WINDOWS\system32\tlpjsv.dll (file missing)
    O2 - BHO: (no name) - {77955675-1321-4773-9322-47DEF6E6B154} - C:\WINDOWS\system32\moz030715s.dll (file missing)

    O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/288e7bb26927754cb505/netzip/RdxIE601.cab

    O16 - DPF: {9E1089BC-1AE8-4685-8D77-6721E5C318A8} - http://217.73.66.1/del/loader.cab

    Then reboot into safe mode and delete:
    C:\Program Files\MyWay <= entire folder

    Regards,

    Pieter
     
  12. bennieboy2290

    bennieboy2290 Registered Member

    Joined:
    Jun 7, 2004
    Posts:
    7
    ok so i deleted everything you said and now this is what it looks like...
     

    Attached Files:

Thread Status:
Not open for further replies.