[DArtaMJAN]

Hello!

I've done all scans with all programs you've suggested and now I'm sending you HijackThis log. For now Avast didn't find trojan "rdriv" but I'd rather take some advice from expert. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 14:36:26, on 17.8.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\netinfo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\hxtkdk.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\DArtaMJAN\Desktop\HijackThis.exe

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Network Security] secsvc.exe
O4 - HKLM\..\Run: [Microsoft Bin] msbin.exe
O4 - HKLM\..\Run: [Winddows Servicer] servicer.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [upmceq] C:\WINDOWS\System32\hxtkdk.exe r
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftx U] winupdatexp.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Network Security] secsvc.exe
O4 - HKLM\..\RunServices: [Micromedia Flashin Update] explore.exe
O4 - HKLM\..\RunServices: [Microsoft Bin] msbin.exe
O4 - HKLM\..\RunServices: [Winddows Servicer] servicer.exe
O4 - HKCU\..\Run: [Microsoft Bin] msbin.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service] winsN2S.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: lsa driver service (lsaDriver) - Unknown owner - C:\WINDOWS\lsa.exe (file missing)
O23 - Service: MSUpdate (Microsoft Update Service for 2005) - Unknown owner - C:\WINDOWS\msupdate24.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe
O23 - Service: Personal Document Firewall (PDFW) - Unknown owner - C:\WINDOWS\pdf.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: System Messenger Service (WINSMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)

[Advertisements]

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

• Unzip it to your desktop.

* Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed exit Ewido.

* CleanUp!

• Install it.

* Killbox by Option^Explicit

• Save it to your desktop.

* Nailfix Utility

• Save it to your desktop. DO NOT run it yet.

* APT

• Unzip the contents to a new folder on your desktop.

• Open the folder you just created and click on apt.exe and search in the window for upmceq.
• Open your C:\Windows\system32 folder and search for hxtkdk.exe.
  Don't delete it yet, just leave the system32 folder open so you can see the bad file.
• In APT again, Select upmceq and Click Kill3
  
• Then immediately delete hxtkdk.exe from your system32 folder.

Close APT.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

2.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

3.) Double-click the Ewido Security Suite icon to run the program.

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

4.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

5.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [Network Security] secsvc.exe
O4 - HKLM\..\Run: [Microsoft Bin] msbin.exe
O4 - HKLM\..\Run: [Winddows Servicer] servicer.exe
O4 - HKLM\..\Run: [upmceq] C:\WINDOWS\System32\hxtkdk.exe r
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftx U] winupdatexp.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Network Security] secsvc.exe
O4 - HKLM\..\RunServices: [Micromedia Flashin Update] explore.exe
O4 - HKLM\..\RunServices: [Microsoft Bin] msbin.exe
O4 - HKLM\..\RunServices: [Winddows Servicer] servicer.exe
O4 - HKCU\..\Run: [Microsoft Bin] msbin.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service] winsN2S.exe
O23 - Service: lsa driver service (lsaDriver) - Unknown owner - C:\WINDOWS\lsa.exe (file missing)
O23 - Service: MSUpdate (Microsoft Update Service for 2005) - Unknown owner - C:\WINDOWS\msupdate24.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe
O23 - Service: Personal Document Firewall (PDFW) - Unknown owner - C:\WINDOWS\pdf.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: System Messenger Service (WINSMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

6.) Run Killbox.exe.

• Select "Delete on Reboot".
• Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  C:\WINDOWS\msupdate24.exe
  C:\WINDOWS\netinfo.exe
  C:\WINDOWS\smsc.exe
  C:\WINDOWS\pdf.exe
  C:\WINDOWS\lsa.exe
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

7.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

8.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

[didom]

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

• Unzip it to your desktop.

* Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be a big E icon on your desktop, double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen
• You will need to update ewido to the latest definition files.
• On the left hand side of the main screen click update
• Click on Start
• The update will start and a progress bar will show the updates being installed
• After the updates are installed exit Ewido.

* CleanUp!

• Install it.

* Killbox by Option^Explicit

• Save it to your desktop.

* Nailfix Utility

• Save it to your desktop. DO NOT run it yet.

* APT

• Unzip the contents to a new folder on your desktop.

• Open the folder you just created and click on apt.exe and search in the window for upmceq.
• Open your C:\Windows\system32 folder and search for hxtkdk.exe.
  Don't delete it yet, just leave the system32 folder open so you can see the bad file.
• In APT again, Select upmceq and Click Kill3
  
• Then immediately delete hxtkdk.exe from your system32 folder.

Close APT.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

2.) Please double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

3.) Double-click the Ewido Security Suite icon to run the program.

• Click on scanner
• Click Complete System Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop
• Exit Ewido

4.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

• Empty Recycle Bins
• Delete Cookies
• Delete Prefetch files
• Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

5.) After Cleanup! is finished, run HijackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\Run: [Network Security] secsvc.exe
O4 - HKLM\..\Run: [Microsoft Bin] msbin.exe
O4 - HKLM\..\Run: [Winddows Servicer] servicer.exe
O4 - HKLM\..\Run: [upmceq] C:\WINDOWS\System32\hxtkdk.exe r
O4 - HKLM\..\RunServices: [Win32 NT Adv Services] taskmngr.exe
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftx U] winupdatexp.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] soff.pif
O4 - HKLM\..\RunServices: [Network Security] secsvc.exe
O4 - HKLM\..\RunServices: [Micromedia Flashin Update] explore.exe
O4 - HKLM\..\RunServices: [Microsoft Bin] msbin.exe
O4 - HKLM\..\RunServices: [Winddows Servicer] servicer.exe
O4 - HKCU\..\Run: [Microsoft Bin] msbin.exe
O4 - HKCU\..\RunServices: [Windows NetStart Service] winsN2S.exe
O23 - Service: lsa driver service (lsaDriver) - Unknown owner - C:\WINDOWS\lsa.exe (file missing)
O23 - Service: MSUpdate (Microsoft Update Service for 2005) - Unknown owner - C:\WINDOWS\msupdate24.exe (file missing)
O23 - Service: netinfo - Unknown owner - C:\WINDOWS\netinfo.exe
O23 - Service: Personal Document Firewall (PDFW) - Unknown owner - C:\WINDOWS\pdf.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: System Messenger Service (WINSMSC) - Unknown owner - C:\WINDOWS\smsc.exe (file missing)

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

6.) Run Killbox.exe.

• Select "Delete on Reboot".
• Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:
  
  C:\WINDOWS\msupdate24.exe
  C:\WINDOWS\netinfo.exe
  C:\WINDOWS\smsc.exe
  C:\WINDOWS\pdf.exe
  C:\WINDOWS\lsa.exe
  
  
• Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
• Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt. If your computer does not restart automatically, please restart it manually.

After computer has restarted continue with the rest of the instructions:

7.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

8.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

[didom]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.