Hi Cronos, there is the contents of the file:


You canFunde fьr "infected"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mon May 23 23:38:00 2005 => File C:\WINDOWS\svchost.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:37 2005 => File C:\WINDOWS\cmssx.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:38 2005 => File C:\WINDOWS\geffge.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:38 2005 => File C:\WINDOWS\hgfrre.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:42 2005 => File C:\WINDOWS\lsasss.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:46 2005 => File C:\WINDOWS\sddda.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:46 2005 => File C:\WINDOWS\smssrs.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:47 2005 => File C:\WINDOWS\svchos1at.exe infected by "Trojan-Downloader.Win32.Agent.no" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:48 2005 => File C:\WINDOWS\uytlkk.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Mon May 23 23:39:52 2005 => File C:\WINDOWS\wqgff.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 00:18:09 2005 => File C:\Program Files\PestPatrol\Quarantine\20050521115046.zip infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 00:18:09 2005 => File C:\Program Files\PestPatrol\Quarantine\20050523113707.zip infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 00:36:38 2005 => File C:\WINDOWS\cmssx.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 00:38:43 2005 => File C:\WINDOWS\geffge.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 00:57:37 2005 => File C:\WINDOWS\hgfrre.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 01:09:28 2005 => File C:\WINDOWS\lsasss.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 01:27:21 2005 => File C:\WINDOWS\sddda.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 01:31:48 2005 => File C:\WINDOWS\smssrs.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 01:32:32 2005 => File C:\WINDOWS\svchos1at.exe infected by "Trojan-Downloader.Win32.Agent.no" Virus! Action Taken: No Action Taken.
Tue May 24 01:40:09 2005 => File C:\WINDOWS\uytlkk.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 01:40:20 2005 => File C:\WINDOWS\wqgff.dll infected by "Trojan.Win32.Agent.cl" Virus! Action Taken: No Action Taken.
Tue May 24 01:40:24 2005 => D:\BP\Plamen\Galin\ai.doc possibly infected and removed by background antivirus package!
Tue May 24 01:40:24 2005 => File D:\BP\Plamen\Galin\ai.doc infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
Tue May 24 01:40:24 2005 => D:\BP\Rado\ai.doc possibly infected and removed by background antivirus package!
Tue May 24 01:40:24 2005 => File D:\BP\Rado\ai.doc infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
Tue May 24 01:40:25 2005 => D:\BP\Veneta\Georgi\ai.doc possibly infected and removed by background antivirus package!
Tue May 24 01:40:25 2005 => File D:\BP\Veneta\Georgi\ai.doc infected by "BkCln.Unknown" Virus! Action Taken: No Action Taken.
Tue May 24 01:45:17 2005 => Total Disinfected Files: 0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Funde fьr "tagged"

Download Killbox
1. Start your PC in the save mode and deactivate the system recovery.
2.Open Killbox
3. Copy the first file mentionend "infected" by th eScan_neu.txt and paste it into Killbox
3.Choose "Delete on reboot"
4. Press the red x
5.Answer the next question with "yes" the following with "no"
6. Copy&paste the other files mentioned "infected" the same way
7. If you reached the last file answer both questions with "yes"

Now your PC will reboot.
Boot in the "normal mode" and post a new HijackThis Logfile.

@guchev
I don't understand your really.

Zitat:

i am sure avg will find the backdoor.small38 if i ran it now.

To find a Backdoor ist not a great achievement. But to remove it exists NOTHING exept FLATTEN AUND REBUILD.
Why do you remain with total compromitzed PC online?
Please read here once more: http://www.trojaner-board.de/showpos...39&postcount=7

I have a software on my computer which can be installed only in Bulgaria and i am dont know when i will be going there. I need the software for my business. Plus the system even compromised works.
I did read the article you sent me , the author suggests that the system MIGHT be compromised. And as i mentioned it works it disconects me only if i use iexplorer. The system is stable with Firefox.
Plus i have to pay respect to CRONOS and try his metod of removing the bug.He apperantly belive it COULD be done.
Where are YOU from?

Best regards

Hi Cronos,
Very good instructions. All done. Is it OK?
I am going to play volayball now and will be back i 2hrs to see how the system performs.
Thnaks




Logfile of HijackThis v1.99.1
Scan saved at 20:38:07, on 24/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\sony\vaio power management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\WINDOWS\msexploren.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Do\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CDllBho Object - {5A5B6916-ED71-4531-8018-E792DD44156E} - C:\WINDOWS\dd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O4 - HKLM\..\Run: [SonyPowerCfg] C:\Program Files\sony\vaio power management\SPMgr.exe
O4 - HKLM\..\Run: [HKSERV.EXE] C:\Program Files\Sony\HotKey Utility\HKserv.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\msexploren.exe /i
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1101113700534
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A6CAAD3-568E-458F-89BF-6112A909EBF6}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CCS\Services\Tcpip\..\{790AD587-6869-42D7-B3FA-185119EFE956}: NameServer = 192.168.1.5
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

@ guchev

Sorry but your PC is infected with that one.

O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\msexploren.exe /i

http://www.sophos.com/virusinfo/anal...ojbdooreb.html

I think you should really think about flatten rebuild as rene-gad mentioned before.
Was quite unsafe in your case but now I am sure theres no other way to go.

Sry

Thanks to everybody who participated in the atempt of resolving my problem. I will clean my computer asap.
I am busy and i havent got much time to experiment and play so i am not quite sure what is the best protection available at the moment. I mean protection from Viruses, Trojans, Spyware etc.
Bear in mind i do like my computer to work fast as well not beeing clogged with a lot of programs.

THANK you agaian

Try to flatten&rebuild your system by that link:

http://www.trojaner-board.de/showthread.php?t=12154

I´ll think you will get that link.Otherwise use P.Ms to contact me!
Perhaps we´ll dance in Sofia

with my deepest regrets for your system

Cronos

P.S: In July I will be in Eire...-> Dublin