[Flugfarfar]

Hi! Today when I made a search with Ad- Aware, this came up:


Even if I delete it, it just comes new on the next scan. I have'nt really noticed anything that has happend yet, but i've heard that this is a really nasty worm.

Here is my HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 01:59:36, on 2005-09-11
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
C:\Program\winupdates\winupdates.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Ad-Aware\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\Daemon Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [winupdates] C:\Program\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program\Trend Micro\PC-cillin 2002\Tmntsrv.exe

How do I remove it?

*EDIT*

And I can't press Ctrl + Alt + Delete! Nothing happends!

Edited by Flugfarfar, 10 September 2005 - 06:12 PM.

[Advertisements]

Anyone? Please? I can really tell that the system is slower and problematic, and of course the worst part, that I can't press Ctrl + Alt + Delete.

[Flugfarfar]

Anyone? Please? I can really tell that the system is slower and problematic, and of course the worst part, that I can't press Ctrl + Alt + Delete.

[Flugfarfar]

Isn't there anyone who can help? I'm desperate!

[Metallica]

Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover. Save it in the folder you made earlier (c:\BFU)

Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute copy and paste c:\bfu\p2pnetwork.bfu
Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: CInterfaceObj Object - {58F07DD3-924D-4141-BC74-299F523A95F1} - C:\WINDOWS\pxwma.dll
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)

O4 - HKLM\..\Run: [winupdates] C:\Program\winupdates\winupdates.exe /auto

Reboot into safe mode and delete:
C:\Program\winupdates <= entire folder
Then reboot back to normal and let me know if this solved your problem.
You may have to rerun my script if CTRL_ALT_DEL is not working yet.
Note that there should be a progress bar when the script is executed by BFU

Regards,

[Flugfarfar]

Hi, since it took so long to get an answer, I downloaded ewido and made a full system search. It seems like ewido found the winupdates- folder and deleted it, cause it weren't in hijack this. Ctrl + Alt + Del is now working, but the computer seems still a bit problematic. Is everything okay?

Logfile of HijackThis v1.99.1
Scan saved at 22:13:30, on 2005-09-11
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\Program\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\sllights.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ASUS Probe] "C:\Program Files\ASUS\Probe\AsusProb.exe"
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program\Daemon Tools\daemon.exe"  -lang 1033
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{69CAD196-32D8-4F6F-92B3-C52D14B502B5}: NameServer = 195.67.199.27 195.67.199.28
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\Ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SmartLinkService (SLService) -  - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[Metallica]

Apart from the fact that you are two ServicePacks behind, the log looks good.

If you have any problems left after installing SP2 let me know.

Please do have a look at my site about removing and preventing spyware.

Regards,

[Flugfarfar]

Acctually, I still have the [bleep] left!
The computer is a bit problematic, and I have noticed that when I right- click on Movie- files, for a little moment, the screen is all blue, and then it comes back and the right- click- menu comes up. But I still find the worm when I do a Ad- Aware scan!

[Metallica]

Can you copy the AdAware log in here?

[Flugfarfar]

Actually, I don't find the virus any longer! Thanks! But when I right- click on moviefiles such as *.wmv, the screen blinks blue for an instance
Well well, If something new happends, I'll be in touch! Thanks for the help!

[Metallica]

Could be due to a third party codec you have installed.

Check under Add/Remove Software if any are listed.

Or click start > run > cmd > OK
use this command:
assoc .wmv
Hit enter and post the answer that will appear.

Regards,