[Griizzle]

I noticed a problem with my laptop this evening when Internet Explorer wasn't working. I restarted my laptop but still had the same problem. My laptop has also been running slower than usual for a while now, but I haven't really taken any notice of it until now!

I updated AVG today before I started scanning and it showed that I was infected with a 'Trojan Horse BackDoor Hupigon4.RCG'. The 2 file pathways for the virus are:

C:\Users\Grizzle\Downloads\Hamrosoft.50webs.com[FruityLoops8]\HAMROSOFT[FruityLoops8].exe
C:\Users\Grizzle\Downloads\Hamrosoft.50webs.com[FruityLoops8]\HAMROSOFT[FruityLoops8].exe:\$lA\ToxicBiohazard.dll

I also ran Spybot - Search and Destroy and that found a few problems (can't find the log). I deleted them, updated SSAD and then rescanned after restarting the laptop and no problems were detected again. (I did this BEFORE scanning with AVG).

Anybody help at all?! I really need my laptop to do my university work!

Cheers,
Tom (Grizzle)

[Advertisements]

Hello, Griizzle!

Welcome to Geeks to Go! My name is Elster and I will be helping you fix your computer.

Please note that I am still in training, so there may be some delay between my responses. This is so that a resident expert may check my reply before I post back to you.

Also, please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.

To begin, please follow the steps listed here, then post your logs in a reply to this thread.

Thanks!

Elster

[Elliot]

Hello, Griizzle!

Welcome to Geeks to Go! My name is Elster and I will be helping you fix your computer.

Please note that I am still in training, so there may be some delay between my responses. This is so that a resident expert may check my reply before I post back to you.

Also, please keep in mind that very rarely will a computer be "dis-infected" on the first sweep. The absence of symptoms does not mean that your computer is clean, so please stick with me until I give you the All Clear!

I recommend that you save and print each of my posts, as there will be times when you will not be able to be online to access them.

To begin, please follow the steps listed here, then post your logs in a reply to this thread.

Thanks!

Elster

[Griizzle]

Hi Elster, thanks a lot for helping me!

I have updated MBAM and performed a quick scan. 1 Registry key was infected, which I believe was one of the files from a virus I had last year on the same laptop that I thought I'd got rid of... Here's the MBAM quick scan log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18865

20/01/2010 17:30:51
mbam-log-2010-01-20 (17-30-51).txt

Scan type: Quick Scan
Objects scanned: 98788
Time elapsed: 30 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\gaopdxserv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I am about to download Avast, as recommended by Geekstogo, and perform a full system scan. I will edit this post and post the scan log when it has finished.

Just an extra thing aswell, I was looking through the Uninstall Programmes screen from the Control Panel, and noticed that the 'ToxicBiohazard' part of the virus was in the uninstall programs screen. It says that the publisher is 'Image-Line bvba'. Is this a known malware problem, or is it just me being over cautious?! 3 other programmes in the list have the same publisher; 'Collab', 'IL Download Manager' and 'PoiZone'. The latter two were apparantly installed on the same date as 'ToxicBiohazard'.

Thanks in advance!


EDIT: I've downloaded and updated Avast and performed a full system scan. Avast found 3 threats. I'm not sure how to post up or attach the log from the scan, so I'll post up the pathways and what was found:

C:\Program Files\Windows Live\Photo Gallery\WLXQuickTimeControlHost.exe Threat: Win32:Trojan-gen
C:\Windows\System32\drivers\DriveSentryKeeperDriver.sys Threat: Win32:Rootkit-gen [Rtk]

The 'Win32:Rootkit-gen' was found twice in exactly the same file location, so I won't write it out again


NOTE: I've tried to run GMER but it keeps shutting down my laptop!!

Edited by Griizzle, 20 January 2010 - 06:33 PM.

[Elliot]

Hiya Tom!

Sorry for the delay, long day at work!

3 other programmes in the list have the same publisher; 'Collab', 'IL Download Manager' and 'PoiZone'. The latter two were apparantly installed on the same date as 'ToxicBiohazard'.

Are you a musician? These are synthesizer programs. Shouldn't be a cause for concern, unless the drivers have become infected -- which we are about to find out.

To ensure that I get all the information, this log will need to be attached (instructions at the end) if it is too large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • Reg - Shell Spawning
  • File - Lop Check
  • File - Purity Scan
  • Evnt - EvtViewer (last 10)
• Under custom scans copy and paste the following:
  netsvcs
  %SYSTEMDRIVE%\*.exe
  /md5start
  eventlog.dll
  scecli.dll
  netlogon.dll
  cngaudit.dll
  sceclt.dll
  ntelogon.dll
  logevent.dll
  iaStor.sys
  nvstor.sys
  atapi.sys
  IdeChnDr.sys
  viasraid.sys
  AGP440.sys
  vaxscsi.sys
  nvatabus.sys
  viamraid.sys
  nvata.sys
  nvgts.sys
  iastorv.sys
  ViPrt.sys
  /md5stop
  %systemroot%\*. /mp /s
  c:\$recycle.bin\*.* /s
  CREATERESTOREPOINT
  
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Thanks!

Elster

[Griizzle]

Hi Elster,

No worries about the delay, everyone has to work!

Yeah I've played around with Fruity Loops 8 in the past as I'm really into my electronic music, but I really don't recognise the ToxicBiohazard bit! Just concerned me, probably nothing to worry about though

I've scanned with OTS and am attaching the log now as we speak. The log looks bloomin' complicated!

Cheeeeeeeeeeeeeeeers

 OTS.Txt   151.02KB   227 downloads

Edited by Griizzle, 22 January 2010 - 12:07 PM.

[Elliot]

Hello, Tom!

Not much found in your log, but let's do another scan just to verify. The slowdown you are noticing may be due to the fact that you have multiple anti-virus programs running on your computer. Having multiple anti-virus softwares running at the same time may cause problems on your computer such as slowness, conflicts and (believe it or not) more vulnerability to infections. I would recommend that if you are paying a subscription fee to any of them, you remove the others from your system. If you are not subscribing to any, I recommend removing all but one (perhaps avast!) of your choosing. These may always be downloaded again in the future, however it is your preference as to which title you keep. If you are unsure of how to do this, let me know.

Step 1:

OTS

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Files/Folders - Modified Within 30 Days]
NY -> DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Users\Grizzle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
NY -> ezsidmv.dat -> C:\ProgramData\ezsidmv.dat
[Files - No Company Name]
NY -> ezsidmv.dat -> C:\ProgramData\ezsidmv.dat

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.


Step 2:

Online Scan

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
• Click Start
• When asked, allow the ActiveX control to install
• Click Start
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
• Click Scan (This scan can take several hours, so please be patient)
• Once the scan is completed, you may close the window
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
• Copy and paste that log as a reply to this topic

Step 3:

Reply

Things I need to see in your reply:

• OTS log
• ESET log
• How is your computer running?

Thanks!

Elster

[Griizzle]

Hi Elster,

Here's the OTS log, I thought I'd post it instead of attaching it as its so small:

[Files/Folders - Modified Within 30 Days]
C:\Users\Grizzle\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini moved successfully.
C:\ProgramData\ezsidmv.dat moved successfully.
[Files - No Company Name]
File C:\ProgramData\ezsidmv.dat not found!
File not found!
< End of fix log >
OTS by OldTimer - Version 3.1.19.3 fix logfile created on 01242010_184156

I'm just about to run the online scan so I'll edit this post when it is complete.


EDIT 1: As soon as I clicked on the link for the ESET online scanner, my laptop restarted itself. It did this twice in a row, so I went through my programs list and deleted quite a lot of things I didn't want or need, including all the antivirus programs I could find. I restarted the laptop and it seems to be running okay; the ESET scan is currently running so I'll post the log when it has finished.

One quick question... Is it advisable to remove Windows Defender if I have Avast! installed on my laptop? If so, how do I go about doing this? And for whatever reason in the future, how do I stop Avast! from running? I right click the small Avast! symbol in the system tray in the bottom left of the screen but the only thing I can do is set it to silent/gaming mode...


EDIT 2: The log is really small... the scan deleted 2 files and the only file saved as log.txt is this:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

I'll redo the scan and see what comes up.


EDIT 3: I've redone the scan and nothing came up and the log was exactly the same. However, after about 30 minutes of browsing the internet, my laptop went to a blue screen and restarted itself YET again! Could this be simply due to a blocked fan? My laptop seemed to be very hot. I've hoovered the ventilation parts on the outside of the laptop to try and dislodge any dust there may be. Is there anything else I can do to clean it if that is the case?

Edited by Griizzle, 25 January 2010 - 12:56 PM.

[Elliot]

Hello, Tom!

You may still be infected with a rootkit, so let's check this way.

Download RootRepeal from one of the following locations and save it to your desktop:Link 1
Link 2
Link 3

• Double click to start the program
• Click on the Report tab at the bottom of the program window
• Click the button
• In the Select Scan dialog, check:
  • Drivers
  • Files
  • Processes
  • SSDT
  • Stealth Objects
  • Hidden Services
  • Shadow SSDT
• Click the OK button
• In the next dialog, select all drives showing
• Click OK to start the scan
  

  Note: The scan can take some time. DO NOT run any other programs while the scan is running

• When the scan is complete, click the button and save the report to your Desktop as RootRepeal.txt
• Go to File, then Exit to close the program

If the report is not too long, post the contents of RootRepeal.txt in your next reply. If the report is very long, it will not be complete if you post it, so please attach it to your reply instead.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Thanks!

Elster

[Griizzle]

Hi Elster,

I've scanned with the rootkit program and I'm now attaching the log.

Cheers,
Tom

 RootRepeal_report_01_28_10__17_52_19_.txt   85.02KB   145 downloads

[Elliot]

Hi Tom!

It appears there has been an issue with the newly released version of avast! causing some blue screen errors on some computers. Try this update and let me know if that corrects the issue you are having.

Thanks!

Elster

[Griizzle]

I've clicked on the link a few times and it isn't working properly!

Does it matter that my laptop was bluescreening before I installed avast?

[Elliot]

Hi Tom!

I am sorry. I'm out of town this weekend and really don't have internet access other than on my phone. I will be back either late Monday or sometime on Tuesday. If you are in need of assistance before then, please let me know and I will have someone help you.

Thanks!

Elster

[Griizzle]

Hi Elster,

No worries, I've literally only just had time to look on the forums after a busy weekend myself! The link still isn't working for me for some reason. Whenever you have time to reply that's fine by me; no rush!

Cheers again.

[Elliot]

Hi Tom!

Thanks again for your patience.

Apparently that link expired as they have added it to the update. You should be able to open avast! and select update program (I don't use this program at this time, so if you need better directions let me know).

Thanks!

Elster

[Griizzle]

Hi Elster,

You don't need to thank me for my patience, I need to thank you for all the help you have given me!

Avast! seems to have updated itself, but I clicked on update program just in case.

My computer seems to be running alot better now. Before it was taking the best part of 5 minutes for the computer to turn on and load properly, and now it takes about a minute! And the blue screening seems to have stopped (fingers crossed!)

Many thanks again for all of your help! it has been very, very much appreciated!

Tom