Help again please??

A friend is having a problem with the trojan horse generic APD. She has ran spy bot ad aware and uses AVG which keeps detecting it. We have taken off system restore and went that route but still can not get rid of it. It keeps coming up. Can someone please tell me what to do next?? The file path is C:/WINDOWS/system32/oes.exe


Thanks so much!!!

 

Would you please clarify that a bit ? Does mean that you have shutdown SR or Used it ?

If you have not shut down SR you should untill you get the problem fixed. Or at least if you get rid of the problem then shut down SR and make a clean one.

Viruses and Trojans and the like is an area where System Restore needs to be cleaned up right along with the rest of the system.

As I tried to point out in another post. System Restore is not a set-n-forget item. If you clean up a system and do not clean up SR to match you can be right back in trouble again. And you may well have wasted the time taken to clean up.

BillyBob

 

Please download
Mcafee stinger multivirus removal tool
Install and run

Spybot search and destroy
Ad aware personal form Lavasoft
Install, update,run, check for problems , fix problems.
A Squared trojan remover
Download, install, update, scan and fix.



The final step would be to get hijackthis and post a logfile here for analysis so we can identify any remaining infections.

C:/WINDOWS/system32/oes.exe
Returns no google hits, but oes.exe has several pages, some legitimate.

 

Did it all right I think but still have it

We turned off the system restore. Ran adware,spybot,and the AVG. Then rebooted computer and turned the system restore on again.Ran AVG again the the virus shows back up Now what?

 

Did you follow the suggestions by oshwyn5 while you had the SR turned off ?

If the problem actully was in the SR files turning it off should have gotten rid of it.

BillyBob

 

More Info

Yes I did it all while the system restore was off. Below is a copy of the log from hijack this. Now what??? Thanks so much for your help.
Logfile of HijackThis v1.99.1
Scan saved at 5:57:17 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common

Files\AOL\1124555538\ee\AOLHostManager.exe
C:\Program Files\Common

Files\AOL\1124555538\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Common

Files\AOL\1124555538\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jen.JEN-7ZMO6Q0RV9M\Local

Settings\Temporary Internet

Files\Content.IE5\IJ23M5OP\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://aimhome.netscape.com/aimhome.adp
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://g.msn.com/0SEENUS/SAOS01
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = http://runonce.msn.com/
R3 - URLSearchHook: AOLTBSearch Class -

{EA756889-2338-43DB-8F07-D1CA6FB9C90D} -

C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) -

{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -

C:\WINDOWS\system32\avtx.dll
O2 - BHO: AOL Toolbar Launcher -

{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} -

C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: ST -

{9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program

Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO -

{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\MSN Apps\MSN

Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: MSN -

{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\MSN Apps\MSN

Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: AOL Toolbar -

{DE9C389F-3316-41A7-809B-AA305ED9D922} -

C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program

Files\Lexmark X1100 Series\lxbkbmgr.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program

Files\Common

Files\AOL\1124555538\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC]

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunOnce: [ab1w9m.exe]

C:\WINDOWS\system32\ab1w9m.exe /k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe

-cnetwait.odl
O4 - HKCU\..\Run: [Extreme Messenger for AIM]

C:\Program Files\Extreme

Messenger\ExtremeMessenger.exe nosplash
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ab1w9m.exe]

C:\WINDOWS\system32\ab1w9m.exe /k
O4 - Startup: LimeWire On Startup.lnk = C:\Program

Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk =

C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: TabUserW.exe.lnk =

C:\WINDOWS\system32\Wtablet\TabUserW.exe
O8 - Extra context menu item: &AIM Search -

res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search -

c:\program files\aol\aol toolbar

2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar -

{3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program

Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug -

{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program

Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C}

(Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab3126

7.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPA

Client.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B}

(Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweeper.cab

31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537}

(MSN Photo Upload Tool) -

http://by14fd.bay14.hotmail.msn.com/resources/MsnPUpld

.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsCli

ent.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4}

(ZoneAxRcMgr Class) -

http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7}

(LinkSys Content Update) -

http://www.linksysfix.com/netcheck/45/install/gtdownls.c

ab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn.com/download/MsnMessengerSetup

Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592}

(ZoneIntro Class) -

http://zone.msn.com/binFramework/v10/ZIntro.cab34246.

cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3}

(WheelofFortune Object) -

http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822}

(HeartbeatCtl Class) -

http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}

(MSN Chat Control 4.5) -

http://chat.msn.com/controls/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF}

(Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdow

n.cab31267.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) -

GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark

International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. -

C:\WINDOWS\system32\pctspk.exe
O23 - Service: TabletService - Wacom Technology, Corp. -

C:\WINDOWS\system32\Tablet.exe

 

OK. Please double check me on this as I do not really understand as this is somenthing new for me.

1-You say you turned SR off and did the cleaning.

2-Did all seem to be clear before turning SR back on ?

3-Did you make sure SR was off on ALL drives if you do indeed have more than one. If you did it should have cleared all SR files.

As a check I would suggest turning SR off again and see if the virus clears. If it does not show up then you need more help than than I can provide.

BillyBob

 

Please move hijackthis to a permanent folder
C:\Documents and Settings\Jen.JEN-7ZMO6Q0RV9M\LocalSettings\Temporary InternetFiles\Content.IE5\IJ23M5OP\HijackThis[1].exe

Nothing with temp or temporary in the file path.
C:\ProgramFiles\Hijackthis\Hijackthis.exe is good.
even
C:\Documents and Settings\Jen.JEN-7ZMO6Q0RV9M\LocalSettings\MyDocuments\Hijackthis\Hijackthis.exe
We may be cleaning temp files to cure you.


Please download starter
Codestuf starter startup manager and process viewer
Install
Then please boot to safe mode.
How to boot to safe mode.
Alternative method

Run Hijackthis with all other windows closed.
Choose scan only , put a check by the following and choose fix
O2 - BHO: (no name) -{7A1693A1-AFAF-4F1E-9B05-EEC38A85FBF3} -C:\WINDOWS\system32\avtx.dll
O4 - HKLM\..\RunOnce: [ab1w9m.exe]C:\WINDOWS\system32\ab1w9m.exe /k
O4 - HKCU\..\RunOnce: [ab1w9m.exe]C:\WINDOWS\system32\ab1w9m.exe /k
Note that it is listed twice, get both
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -Note this one has no associated url


Then please use codestuff starter (the process viewer tab) or windows task manager to locate and kill the process ab1w9m.exe if it is running.

How to show hidden files

Make sure that in control panel/ folder options it is set to show hidden and system files and uncheck hide protected files and uncheck hide known file extensions.
Locate and delete C:\WINDOWS\system32\ab1w9m.exe

Empty your temp and temp internet files
(Empty all Temp folders (delete all files within):

C:\Documents and Settings\(profile)\Local Settings\Temp\
C:\Windows\Temp\
C:\Temp\ (if it exists)


Go to: Control Panel > Internet Options
General tab > Temporary Internet Files > Delete Files:
Checkmark "Delete all offline content "
Click OK}

Disable system restore if it is enabled, reboot to windows normal mode, run hijackthis to confirm that none of these returns and no new entries appear.
If new entries appear or these reappear , please post your new hijackthis log. Otherwise, reenable system restore and create a new restore point.
How did I get infected in the first place