Please Help With Removal Of Many Trojans

[DebbieR]

I have Win Xp, All Service Packs are installed. All

updates are installed.

Names of Trojans:

Muldrop
Stpage
Win32.trojan/dialer
Dloader
Trojan.tdsserv
Win32.fasec
Win32.Trojan.gen


I turned off Systen Restore and rebooted. The

trojans were still there. I restored the computer to

factory settings, the trojans are still there.

Once a progam finds the trojans it will not find

them a second time.

All temp file have been deleted many times.

I used several online scanners.
Panda wanted money to get rid of the trojans.
Trend Micro won't load.
KAV wants one files, I can't give it a System

Volume File.
RAV says I'm forbidden to use the page.
Jotti wants a file.
Virus total wants a file.

The trojans don't show on HJT:

Logfile of HijackThis v1.99.1
Scan saved at 4:08:43 PM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3

(6.00.2900.5512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil

Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil

Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.5072

7\mscorsvw.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: DriveLetterAccess -

{5CA3D70E-1895-11CF-8E15-001234567890} -

C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper -

{DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl -

{E7E6F031-17CE-4C07-BC86-EABFE594F69C} -

C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [avast!]

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp]

stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray]

C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers]

C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd]

C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray]

C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program

Files\Dell V305\dldtmon.exe"
O4 - HKLM\..\Run: [dldtamon] "C:\Program

Files\Dell V305\dldtamon.exe"
O4 - HKLM\..\Run: [dla]

C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk =

C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O9 - Extra button: (no name) -

{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

(no file)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF:

{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8}

(ActiveScan 2.0 Installer Class) -

http://acs.pandasoftware.com/activescan/cabs/as2s

tubie.cab
O20 - Winlogon Notify: dimsntfy -

%SystemRoot%\System32\dimsntfy.dll (file

missing)
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service

(aswUpdSv) - ALWIL Software - C:\Program

Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software -

C:\Program Files\Alwil

Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown

owner - C:\Program Files\Alwil

Software\Avast4\ashMaiSv.exe" /service (file

missing)
O23 - Service: avast! Web Scanner - Unknown

owner - C:\Program Files\Alwil

Software\Avast4\ashWebSv.exe" /service (file

missing)
O23 - Service: dldtCATSCustConnectService -

Unknown owner -

C:\WINDOWS\System32\spool\DRIVERS\W32X86\

3\\dldtserv.exe
O23 - Service: dldt_device -   -

C:\WINDOWS\system32\dldtcoms.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Unknown owner -

C:\Program Files\Java\jre6\bin\jqs.exe" -service

-config "C:\Program

Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)

-------------------------------------------------------
I unplugged the phone line, I have dsl.
In Services I turned off all Remote Access and

Remote Call functions. My computer still has times

when it makes loud clicking noises like a time

bomb, this can last for hours if I don't unplug my

computer.

Clrav didn't find anything.

eScan: Error Detected!!! You will need to buy

Escan or this toll in order to eliminate this error

from your system. Click on BUY THIS PRODUCT

button to go to our online store...

---------------------------------
Fujack.trojan was found.

I deleted autorun.inf per instructions from:

http://www.viruslist.com/en/viruses/encyclopedia?vi

rusid=148435

I didn't delete the setup.exe files
-----------------------
Scanspyware didn't find anything
(did I tell you I am so tired of this/these worms?)
---------------------------------
SpywareDoctor found Trojan.Agent.B!ct

[Lisandro]

I suggest:

1. Clean your temporary files.
2. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
3. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete them.
4. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
5. Immunize your system with SpywareBlaster.
6. Check if you have insecure applications with Secunia Software Inspector.

[DebbieR]

Ok, will do.

[DebbieR]

Here is the update:

Ran Avast at boot, scanning archives.
Found several corrupted files, I deleted them.

SuperAntiSpyware found:
2 tracking cookies

DrWebCureIT found Muldrop.trojan, moved it to the

virus chest, it's incurable.

MBAM found a home page hijacker in the registry

and removed it.

Spyware Terminator Freezes on install.

avast! antirootkit Didn't find anything.

Trend Micro RootkitBuster didn't find anything.

SpywareBlaster is protecting my system now.

Secunia Software Inspector:

Detection Statistics:

13 Applications Detected in Total
5 Insecure Versions Detected
8 Patched Versions Detected

Running For:
6 Minutes, 6 Seconds

Errors with the scan:
0 Errors Detected, scan result should be correct     

Detection completed successfully
 

The Trojans are still in my computer.

[CharleyO]

***

Welcome to the forums, DebbieR.   

You have used an old version of HJT which might not show complete results or might show incorrect results.
Please download the latest version of HJT from the link below.

http://filehippo.com/download_hijackthis/ 


***

[DebbieR]

Thank you, CharleyO.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:51:06 PM, on 3/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell V305\dldtmon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell V305\dldtMsdMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dldtcoms.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe"
O4 - HKLM\..\Run: [dldtamon] "C:\Program Files\Dell V305\dldtamon.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dldtCATSCustConnectService - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\dldtserv.exe
O23 - Service: dldt_device -   - C:\WINDOWS\system32\dldtcoms.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 3834 bytes

[CharleyO]

***

An analysis of your HJY log shows :

We didn't detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don't use any firewall at all.
We recommend you to use a firewall.

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
I suggest you upgrade to IE7

Entries that were questionable :

C:\WINDOWS\system32\dldtcoms.exe
My research shows this belongs to Lexmark printers got Dell. If you have a Lexmark, this one is OK.
http://searchtasks.answersthatwork.com/tasklist.php?File=dldtcoms

O4 - HKLM\..\Run: [dldtmon.exe] "C:\Program Files\Dell V305\dldtmon.exe"
Also related to Lexmark for Dell.
http://searchtasks.answersthatwork.com/tasklist.php?File=dldtmon

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Unnecessary (deactivated) entry that can be fixed. The entry has been identified as safe.
Probably related to Real Player.

O23 - Service: dldtCATSCustConnectService - Unknown owner - C:WINDOWSSystem32spoolDRIVERSW32X863\dldtserv.exe
Also related to Lexmark for Dell.
http://searchtasks.answersthatwork.com/tasklist.php?File=dldwserv

O23 - Service: dldt_device - - C:\WINDOWS\system32\dldtcoms.exe
Also related to Lexmark for Dell.
http://searchtasks.answersthatwork.com/tasklist.php?File=dldtcoms

None of these should present any problems, but, the 09 entry should be fixed.
If you are no longer using a Lexmark printer, the others can also be fixed.

What were the locations given for the trojans you listed above?

***

[micky77]

You say in your first post  " KAV wants one files, I can't give it a System

Volume File." So its possible some of these trojans are in you system restore.Like CharleyO says,post the names and locations of the infected files.Copying and pasting the logs from whatever scanner used is even better.

[Eddy]

I have Win Xp, All Service Packs are installed. All  updates are installed.

No you haven't. If you had you would have IE7, not IE 6!

Click on the link in my signature and follow ALL instructions in the malware removal section.
Report back here after doing so.

[YoKenny]

I have Win Xp, All Service Packs are installed. All  updates are installed.

No you haven't. If you had you would have IE7, not IE 6!

I believe that IE7 is a selected download and is not automatically installed in XP unfortunately:
http://www.microsoft.com/windows/downloads/ie/getitnow.mspx

Stay away from IE8 until it is officially released.

I like IE7Pro as well:
http://www.ie7pro.com <== I choose not to use its Ad Blocker though.

[Mr.Agent]

i think im not sure but trojan shield is good for his problem ?

[Eddy]

YoKenny

I have Win Xp, All Service Packs are installed. All updates are installed

That means IE7 should have been installed, no mather if it was a automatic update or not.

[DavidR]

IE6, because it came with XP is still part of that OS life-cycle (extended on the Home version) and as such still receiving security updates as in IE6 SP3.

As and when these security updates were to cease then perhaps I would get a newer version of IE, by then probably IE8 or perhaps even IE9

[DebbieR]

CharleyO I do have a Dell Printer. I will remive the 09.
I am using Windows Firewall.

micky77, I know at least on is in System Restore which is turned off at this time. It didn't disappear when i returned the computer to factory settings.

Eddy I didn't think IE6 was a problem? If it is I will update to IE7.
I went to the link in your sig, I had all but the Root kit and adware. I installed the rrot kit and ran it, noting found. Adaware is scanning now.

DavidR now I'm confused? IE6 or IE7?
-----------------------------------------------------------
I lost most of the logs when I reset my computer.

Here is the log for Avast boot:

03/11/2009 16:37
Scan of all local drives

File F:\Coloring Books\Coloring Books\DRCB2.zip\Dover_Renaissance_fashions_coloring_book_Page_13.jpg Error 42125 {ZIP archive is corrupted.}
File F:\Documents\Genealogy\Genealogy Photos 2\HAMMOCK.FBK\F98E000000000.FIN\_3_IMAGE.DB Error 42145 {OLE archive is corrupted.}
File F:\Documents\Genealogy\Genealogy Photos 2\Hammock.FTW\F98E000000000.FIN\_3_IMAGE.DB Error 42145 {OLE archive is corrupted.}
File F:\Documents\Genealogy\Genealogy Photos 2\Smith11.FBK\F98E000000000.FIN\_3_IMAGE.DB Error 42145 {OLE archive is corrupted.}
File F:\Documents\Genealogy\Genealogy Photos 2\Smith11.FTW\F98E000000000.FIN\_3_IMAGE.DB Error 42145 {OLE archive is corrupted.}
File F:\Downloads\Tubes\xmasdogcat.zip\xmasdogcat.psp Error 42125 {ZIP archive is corrupted.}
File F:\Repaired Paper Dolls\Barbie\1-of-2_Ken,+Nostalgic,+by+Peck-Gandre+Paper+Doll+(pk).zip\01_Ken, Nostalgic, by Peck-Gandre Paper Doll_fc.JPG Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 15404
Number of tested files: 550812
Number of infected files: 0
------------------------------------------------
I deleted all the corrupted files
----------------------------------------------
My computer became infected when I downloaded a pdf file and converted it to a jpg for a friend. I have since deleted the pdf.
So far I don't think I have logs showing infected files. I know the Trojans are still there because they make very loud clicking noises and sometimes they shut off my coumputer. It seems likes one of the scans you guys recommened I do found a start page trojan and moved it to the virus chest (DrWebCureIt maybe?) Sometimes my memory isn't very good.
------------------------------------------------
A scan usually takes about 2 hours to complete because I have an external hard drive with many paper dolls files among other things.

[DebbieR]

Ad Aware didn't find any problems.