[claw05]

Hi there

I'm new in this forum. I'm not an expert, but I've had some previous experience in cleaning up infected computers.

I've had a massive invasion of trojan(s) that are driving me crazy. I've run all the suggested software (ad-aware, spybotS&D, cwshredderm ewido, etc. These have found several instances of trojans & other problems that presumably were fixed. However, when I re-start the computer my antivirus (AVG) still finds a couple of trojans (Collected.5.L, Backdoor, etc.). If i'm off-line, there are attempts to start the ADSL connection. ProcessGuard informs that attempts to modify several files have been blocked. After a few minutes, there is a message saying that there will be a system shutdown in 50 seconds. Today I run all programs again and two files called pokapoka61.ex and pokapoka62.exe were found as possible trojans. I just deleted them, re-booted and again collected.5.l was found.

I run HijackThis in safe mode, and came out with the log report that I paste below. My laptop's configuration is

xp home
dell inspiron 8100
pentium III
1.2 ghz
512ram

(of course, I'm now using another computer

I'll appreciate any help / suggestions / comments


cheers

claw


Logfile of HijackThis v1.99.1
Scan saved at 14:55:46, on 05/08/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell...gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell...gen/default.htm
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SO5 Integrator Pass Two] C:\WINDOWS\SOINTGR.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [tblfunc] tblmouse.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe /waitservice
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [System Service] nvidia.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
O4 - HKLM\..\RunServices: [System Service] nvidia.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NetHelp.lnk = C:\Program Files\BTopenworld NetHelp\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Browser Adjustment - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\PROGRA~1\Agnitum\OUTPOS~1.0\Plugins\BrowserBar\ie_bar.dll (file missing)
O9 - Extra button: BT Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: BT &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\EROProj.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120997994772
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = surrey.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = surrey.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{3D007855-D2B3-4F1C-BC67-A1B45D0DB62D}: NameServer = 131.227.102.6,131.227.100.12
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBCA15A7-2F8E-4DB0-A19E-0CCD249DBB4E}: NameServer = 131.227.102.6,131.227.100.12,131.227.50.19
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = surrey.ac.uk
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum - C:\PROGRA~1\Agnitum\OUTPOS~1.0\outpost.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\system32\Wt32exe.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

[Advertisements]

Hi claw05, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

*We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME

*Click HEREfor the update.

*Apply the update, reboot, and post a fresh Hijack This log.


Trevuren

[Trevuren]

Hi claw05, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

*We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. DO NOT UPGRADE TO SP2 AT THIS TIME

*Click HEREfor the update.

*Apply the update, reboot, and post a fresh Hijack This log.


Trevuren

[claw05]

Hi Trevuren

Thanks for your suggestion. I downloaded the update and tried to install it but there was a request to connect to a MS site. As I was in safe mode, I couldn't open the connection. I tried the same after normal booting, and the installation program is blocked by (I presume) one of the trojans. I tried this several times, to no avail. I'm in a kind of catch 22 situation.

A couple of questions: 1.- Is there a way of connecting my ADSL modem when the computer is in safe mode?. 2.- Is there a way of blocking all non-wanted processes in order to run the SP1a update?

Finally: Could I try doing some clean up without the installation of the update, and install it as soon as there is a possibility.
Cheers

claw

[Trevuren]

*Please go http://www.howtotell.com ]here[/URL] (Microsoft website) using Internet Explorer ( not Firefox or any other browser as they won't work)
*Click on "Windows Validation Assistant"
*Click on the "Validate Now" button.
*Be patient while the ActiveX loads, do not click on any links.
*Read the instructions on this page while it's loading. You will be prompted to install - click YES.
*Enter your product key then click "continue"
*When it says "Validation Complete" please click "Continue to return to your previous activity"
*Copy what it says and paste it here


Trevuren

[claw05]

Hi Trevuren

Thanks for your posting. I did what you suggested, and, after a failed attempt (system closed down due to lsass.exe - error code 128), I could do the validation process. When I clicked "Continue to return to your previous activity" I got a window saying "LSASS.exe application error. The instruction at "0x77f537fe" reference meemory at 0x909006e3". The memory could not be "read". Click OK to terminate the program." I clicked OK and there was another window "The system is shuting down. Error code 128" and that was it.

I thought that maybe after validation I would be able to install SP1a, but it wouldn't run either.

Furthermore, AVG keeps finding Collected.5.L, and after opening IE for the validation, the pokapoka62.exe (which I had deleted earlier) appeared again.

I'm sorry, but I don't know how to proceed

cheers

claudio

[Trevuren]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

• First we need to make all files and folders VISIBLE:
  • Go to start>control panel>folder options>view (tab)
  • Choose to "show hidden files and folders,"
  • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
  • Close the window with ok
• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.client...arch.yahoo.com/
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
  O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
  O4 - HKLM\..\Run: [MediaXPServicePack] mxpsp.exe
  O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
  O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
  O4 - HKLM\..\RunServices: [MediaXPServicePack] mxpsp.exe
  O4 - HKLM\..\RunServices: [System Service] nvidia.exe
  
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
  
  
• Reboot Your System in Safe Mode
  
  How to use the F8 method to Start Your Computer in Safe Mode
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe mode menu item
  • Press Enter.
• Using Windows Explorer and, when required, the Windows Search Function, locate the following files/folders, and DELETE them (if they are present):
  
  systeminfos.exe
  mxpsp.exe
  C:\WINDOWS\System32\msmc.exe
  nvidia.exe
  
  
• Exit Explorer, and REBOOT BACK INTO NORMAL MODE
  
  
• Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

[claw05]

Hi Trevuren

I tried to do as you said. No problem unhiding the files and extensions, but when I try to run HJT it says that Windows has no privileges (or no authorization) to perform this action, and it won't run. From your message, I understood I had to do it with normal booting, but I wonder whether I was supposed to do it in safe mode.

cheers

claudio

[Trevuren]

HijackThis is run in Normal Mode


Please provide me with a Copy/Paste of the exact error message you are getting.



Trevuren

Edited by Trevuren, 06 August 2005 - 12:47 PM.

[claw05]

Hi

I copied the message appearing in the box: Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I tried running HJT again, but it wouldn't even give me the message. The taskmanager indicates that HJT is running. I tried to end the process but nothing happened.

When I rebooted and tried to run HJT again I didn't even get the error message

Just in case, I am login in as administrator (I don't know if this is relevant)

cheers

claw

[Trevuren]

We will have to see if we can repair Windows. It is our only chance left.

1. Please go to Start -> Run -> type cmd and press Enter.

2. At the command prompt type sfc /scannow, making sure to put a space between the "c" and the slash, and then press Enter. This will run the System File Checker.

3. Follow the prompts, and insert your Windows installation CD if requested.

4. Then please REBOOT your computer.


Regards,

Trevuren

[claw05]

Hi Trevuren

Sorry for the delay in coming back to you. I tried what you suggested and I got a message saying "Windows File Protection could not initiate a scan of protected files. The specific error code is 0x000006ba [The RPC server is unavailable]". This was under safe mode booting. If I tried normal mode, all i got was a message saying "Access is denied"

Cheers

claudio

[Trevuren]

Try this:

Boot into the Recovery Console by following these steps:

• Insert the Windows CD and restart your computer. Follow your computer's prompts to boot from the CD. (You might need to adjust settings in the computer's BIOS to enable the option to boot from a CD.)
  
• Follow the setup prompts to load the basic Windows startup files. At the Welcome To Setup screen press R to start the Recovery Console.
  
• Enter the number of the Windows installation you want to access from the Recovery Console.
  
• When prompted, type the Administrator password. If you're using the Recovery Console on a system running Windows XP Home Edition, this password is blank by default, so just press Enter.

Trevuren

[claw05]

Hi Trevuren

It's me again. I did what you said, and when enter the default password (blank) it says that the password is invalid. I'm sure there's no other password: The notebook came with windows xp home preinstalled.

Is there any other way of getting rid of this, or shall I try a complete reinstallation (I have with me the reinstallation disks).

cheers

claw

[Trevuren]

I am currently at a loss for an answer. The ultimate decision is yours.


Trevuren

[claw05]

Hi Trevuren

Thanks for your help. What shall I do after reinstallation? I understand installing SP2 is absolutely necessary. I have AVG, AdAware, SpyBot and Outpost Firewall, plus some other tools I installed following the comments in this forum. Any other piece of advice?

cheers

claw