avast found trojans-delete? or what?-in chest

[bball142023]

hi
avast found these 3 trojans and are in my chest, but i dont know what to do beacuse i saw webdrivers-i wanted to delete but decided to wait for advise and these other 3 file, which i think i should delete-
kernel32.dll
winsock.dll
wsock32.dll



these are the trojans-
Win32:Adware-gen [Adw]
DLL  Win32:Spyware-gen [trj]
Win32:Adware-gen [Adw]


FileID: 0000000005  Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\NPWTHOST.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp133062928.tmp\5.DLL

FileID: 0000000004  Original file name: C:\WINDOWS\WT\WEBDRIVER\WTMULTI.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp133062928.tmp\4.DLL

FileID: 0000000006  Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\WTMULTI.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp133062928.tmp\6.DLL

i appreciate any help
-tks

[wyrmrider]

WT may indicate Wild Tangent

google wt webdriver

no rush to delete

you could send to virus total to verify wild tangent

you could run an antispyware scan to see if there is something else out there

you could schedule a "scan on boot" scan with avast

lots of choices

a helper may have you post a HJT to check for additional wild tangent dll's

[Jtaylor83]

The three system files kernel32.dll, winsock.dll, and wsock32.dll are for backup purposes don't delete.

[bball142023]

i have hijack this, should i post the log- i think it is wildtangent-

Virus has been detected!
File Name: WTMULTI.DLL
FileID: 4
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: NPWTHOST.DLL
FileID: 5
Virus Description: Win32:Spyware-gen [trj]

Virus has been detected!
File Name: WTMULTI.DLL
FileID: 6
Virus Description: Win32:Adware-gen [Adw]

i got this by scanning the files in the chest
 
Move files to temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp
FileID: 0000000005  Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\NPWTHOST.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp\5.DLL
FileID: 0000000004  Original file name: C:\WINDOWS\WT\WEBDRIVER\WTMULTI.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp\4.DLL
FileID: 0000000006  Original file name: C:\WINDOWS\WT\WTUPDATES\WTWEBDRIVER\FILES\3.3.1.001\WTMULTI.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp\6.DLL

Scan files in the temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp\4.DLL  Win32:Adware-gen [Adw]
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp\5.DLL  Win32:Spyware-gen [trj]
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp75284279.tmp\6.DLL  Win32:Adware-gen [Adw]
------------------------------------------------------------------------------------------

[FreewheelinFrank]

avast found these 3 trojans and are in my chest, but i dont know what to do beacuse i saw webdrivers-i wanted to delete but decided to wait for advise and these other 3 file, which i think i should delete-
kernel32.dll
winsock.dll
wsock32.dll

These are backups of legitimate system files- you should see they are in a separate section- and they should not be confused with any malware detected and moved to the chest: they can be left where they are indefinitely.

[bball142023]

yea they are separate in the chest under system files

[wyrmrider]

first
Do Whatever Frank says
just leave those system files alone in the chest for a while as they are backups

what to do with the three baddies? and possible Wild Tangent
so go ahead and post that HJT
just read the instructions closely and do not FIX anything till you hear from Frank or better
if you have an old version of HJT get the latest etc.

[bball142023]

ok
heres the kt log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:07:06, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.verizon.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=61005
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=61005
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /QS
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4664 bytes

[bball142023]

i dont know- this might help     a log from

Malwarebytes' Anti-Malware 1.20
Database version: 944
Windows 5.1.2600 Service Pack 2

7:56:07 PM 7/13/2008
mbam-log-7-13-2008 (19-56-03).txt

Scan type: Quick Scan
Objects scanned: 40465
Time elapsed: 12 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58472bc6-bea3-42d4-8917-7a8bcb0711b5} (Trojan.Zlob) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\e405.e405mgr (Trojan.Zlob) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d1577581-2ed7-469f-99b1-72c1339e0ee0} (Trojan.Zlob) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\WINDOWS\SYSTEM32\734914 (Trojan.BHO) -> No action taken.

Files Infected:
C:\WINDOWS\wr.txt (Malware.Trace) -> No action taken.
C:\Documents and Settings\Jessie Singh\My Documents\My Music\My Music.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Jessie Singh\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> No action taken.
C:\Documents and Settings\Jessie Singh\My Documents\My Videos\My Video.url (Trojan.Zlob) -> No action taken.

[FreewheelinFrank]

Nothing obvious in the log, but your Sun Java application needs updating.

Scan for out-of-date and insecure software using Secunia Software Inspector and update any vulnerable software: this will help to prevent future infections.

[bball142023]

ok avast found 2 more ny itself i was infected with antispycheck and found it now in superantispyware and removed it before with smithfraud fix or something

Virus has been detected!
File Name: A0087349.DLL
FileID: 7
Virus Description: Win32:Adware-gen [Adw]

Virus has been detected!
File Name: A0087411.EXE
FileID: 8
Virus Description: Win32:Adware-gen [Adw]


Move files to temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp
FileID: 0000000007  Original file name: C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0087349.DLL  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp\7.DLL
FileID: 0000000008  Original file name: C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP292\A0087411.EXE  New folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp\8.EXE

Scan files in the temporary folder: C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp\7.DLL  Win32:Adware-gen [Adw]
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp\8.EXE\nsis.hdr  -- no virus --
C:\DOCUME~1\JESSIE~1\LOCALS~1\Temp\_avast4_\unp169004264.tmp\8.EXE  Win32:Adware-gen [Adw]

[bball142023]

i updated java,- was required for quicktime but i deleted it, i now use firefox and have ie6 but thinking of deleting it-should i? 

[bball142023]

also, some extra info
i have Superantispyware and it found antispycheck-(managed to delete)
Rogue.AntiSpyCheck
   C:\SYSTEM VOLUME INFORMATION\_RESTORE{21D7D692-4662-421F-93B0-877BC3820711}\RP290\A0087349.DLL
 
and was wondering if i should delete or not
 i appreciate the help
tks

[FreewheelinFrank]

To clean System Restore:

Create a clean restore point then delete all previous infected restore points

Java comes in useful sometimes, but only you can say if you need it.

[CharleyO]

***

Welcome to the forums, bball.   

Deleting IE may cause problem you do not want since Windows Explorer also uses some of the same components. Instead, upgrade to IE7 since it is more secure than IE6 even if IE is not your defailt browser. IE is not my default browser neither since I primarily use Opera 9.51 as my default browser.

After following Frank's suggestions, run HJT again and fix the below entries if they are still present. These entries have no file associations and are therefore not needed.

O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


***