Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Removal of Win32:Trojan-gen.{UPX!} [Resolved]

Started by djw49 , Apr 01 2007 01:48 AM

  • This topic is locked This topic is locked

#46
kahdah
Posted 01 May 2007 - 03:04 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts 
Thanks again, kahdah, for trawling through all this.
No problem glad to help. :whistling:
Thank you for sticking with it.

Transfer these tools tp the infected machine through a flash drive or a cd


Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Type in these words in the lines listed:
    kprof
    ntldr
    poof
    SYSLIB
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.
After that please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\dkhjdlsim.dll
    C:\WINDOWS\system32\i.dll
    C:\WINDOWS\system32\ebtalpq.dll
    C:\WINDOWS\system32\__c00C34FA.dat
    C:\WINDOWS\system32\aswboot.exe
    C:\cp1041.nls
    C:\WINDOWS\system32\tick48.bin

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
    Click "Exit" to close OTMoveIt.

    **When ready to Reply on the forum, please Paste the content of the latest log which is located at the root of the drive where OTMoveIt is installed, usually at :
    C:\_OTMoveIt\MovedFiles\********_******.log
    (where "********_******" is the "date_time")
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
========================================================================
After reboot Download haxfix.exe
and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.
After that please post back with these logs:
Haxfix log
New Hijackthis log
Ot move it log
Reg Search log
  • 0

Advertisements

#47
djw49
Posted 01 May 2007 - 04:40 AM

djw49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Thanks kahdah. I'm happy to stick with it as long as you are. Logs below. Incidentally, as I was reading your instructions on my laptop, the CPU on my PC went into a period of prolonged activity and the internet connection opened. So I'm sending this from the PC.

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.4.2

; Results at 07-05-01 17:25:24 for strings:
; 'kprof'
; 'ntldr'
; 'poof'
; 'syslib'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS
; End Of The Log...


DllUnregisterServer procedure not found in C:\WINDOWS\system32\dkhjdlsim.dll
C:\WINDOWS\system32\dkhjdlsim.dll NOT unregistered.
C:\WINDOWS\system32\dkhjdlsim.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\i.dll
C:\WINDOWS\system32\i.dll NOT unregistered.
C:\WINDOWS\system32\i.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ebtalpq.dll
C:\WINDOWS\system32\ebtalpq.dll NOT unregistered.
C:\WINDOWS\system32\ebtalpq.dll moved successfully.
C:\WINDOWS\system32\__c00C34FA.dat moved successfully.
C:\WINDOWS\system32\aswboot.exe moved successfully.
File/Folder C:\cp1041.nls not found.
C:\WINDOWS\system32\tick48.bin moved successfully.
File/Folder not found.
File/Folder not found.

Created on 05-01-2007 17:30:02

HAXFIX logfile - by Marckie

version 4.39
07-05-01 17:34:17.93

--- Checking for Haxdoor ---

checking for a3d files
a3d files not found

checking for matching notify keys
no matching notify keys found

checking for matching services
no matching services found

checking for matching safeboot services
no matching safeboot services found

checking for other Haxdoor-files
no other Haxdoor-files found


--- Checking for Goldun ---


checking for SSODL keys
no ssodl keys found

checking for notify keys
no notify keys found

checking for services
no services found

checking for other Goldun-files
no other Goldun-files found

checking iexplore.exe
iexplore.exe is not infected
Finished!

Logfile of HijackThis v1.99.1
Scan saved at 17:36, on 07-05-01
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\DllHost.exe
E:\Setup\hpzwrp01.exe
E:\drivers\dot4\wrapper\Wrapper.exe
E:\drivers\dot4\wrapper\Setup.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\TEMP\_ISTMP1.DIR\_INS5576._MP
E:\drivers\dot4\wrapper\_ISDEL.EXE
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Hijackthis\Fixit.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Hotmail Spam Filter - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - C:\Program Files\GIANT Company Software\Spam Inspector\siClientUIHotmail.dll
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\BP Go!Zilla v4.1\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\IOMEGAACCESS.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe
  • 0

#48
djw49
Posted 01 May 2007 - 05:38 AM

djw49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Oh, I've also successfully just installed the updated version of Java. Things are looking pretty good
  • 0

#49
kahdah
Posted 02 May 2007 - 02:43 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello djw49 :whistling:

Looks better.
We will try another online scanner.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction Here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
Please post back with a new Hijackthis log and the F-secure log in your next reply.
  • 0

#50
djw49
Posted 02 May 2007 - 07:50 AM

djw49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
F-Secure found 3 infections. Further incremental progress. :whistling:

Scanning Report
Wednesday, May 02, 2007 20:07:57 - 20:44:29
Computer name: DW
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 3 malware found
SpamTool.Win32.Agent.u (virus)
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\EBTALPQ.DLL (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
Trojan.Win32.Agent.afg (virus)
C:\_OTMOVEIT\MOVEDFILES\WINDOWS\SYSTEM32\I.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 29662
System: 4305
Not scanned: 2
Actions:
Disinfected: 1
Renamed: 1
Deleted: 0
None: 1
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Logfile of HijackThis v1.99.1
Scan saved at 20:47, on 07-05-02
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\DllHost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Hijackthis\Fixit.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Hotmail Spam Filter - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - C:\Program Files\GIANT Company Software\Spam Inspector\siClientUIHotmail.dll
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\BP Go!Zilla v4.1\download-with-gozilla.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\IOMEGAACCESS.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe
  • 0

#51
kahdah
Posted 03 May 2007 - 04:10 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Much better :whistling:
  • Please open Hijackthis and place a mark beside this entry:

    O8 - Extra context menu item: Download with Go!Zilla - file://C:\Program Files\BP Go!Zilla v4.1\download-with-gozilla.html

  • Click FixChecked and then close Hijackthis.
Please also delete C:\OT Move-it folder and C:\Program Files\BP Go!Zilla v4.1 folder. (Right click and go to Explore).
And also any other tools or programs that I had you download.

Then please empty your recycle bin.
After that please post back with another Hijackthis log.
Also let me know of any problems.
  • 0

#52
djw49
Posted 03 May 2007 - 05:09 AM

djw49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Done. The system seems to run pretty smoothly. :whistling:

Is it now clean? If so, then I guess the last question is how do I keep it that way?

Logfile of HijackThis v1.99.1
Scan saved at 17:47, on 07-05-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siMailProxyServer.exe
C:\Program Files\GIANT Company Software\Spam Inspector\siSpamFilterEngine.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\DllHost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ufdsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\Fixit.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Hotmail Spam Filter - {58A83E4F-477A-4A3F-BF9B-B65BC2BD5598} - C:\Program Files\GIANT Company Software\Spam Inspector\siClientUIHotmail.dll
O4 - HKLM\..\Run: [siService.exe] "C:\Program Files\GIANT Company Software\Spam Inspector\siService.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CommCtr] C:\PROGRA~1\NET2PH~1\CommCtr.exe -auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: LUMIX Simple Viewer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IomegaAccess - Unknown owner - C:\Program Files\Iomega\Tools_NT\IOMEGAACCESS.EXE (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: UFD Command Service (UFDSVC) - Generic - C:\WINDOWS\system32\ufdsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Unknown owner - C:\WINDOWS\System32\ZipToA.exe
  • 0

#53
kahdah
Posted 04 May 2007 - 03:02 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello djw49

Great job your log is clean :whistling:

Please clean your restore points again.
To do this:
Go to Start then Right click on My computer then click on Properties>System Restore tab at the top.
Then click Turn off system restore on all drives then click Apply then ok.
**Reboot your system then Go to Start then Right click on My computer then click on Properties>System Restore tab at the top.
Then click Turn on system restore on all drives then click Apply then ok.

After that I Highly recommend that you update to service pack 2 as you are wide open to some really bad infections.
Here is the link for the download>Service Pack 2

After that You are all set.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  • SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  • IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein
  • 0

#54
djw49
Posted 04 May 2007 - 03:55 AM

djw49

    Member

  • Topic Starter
  • Member
  • PipPip
  • 31 posts
Kahdah,

Thank you so much for your professionalism and persistence. I have learned so much working with you. It intrigued me, because it was like you were right here working on the system. I'm not sure if this was a particularly difficult infection to remove, or par for the course. Either way, your time and expertise are greatly appreciated.

Best regards,
David
  • 0

#55
kahdah
Posted 06 May 2007 - 05:55 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Thank you and you are quite welcome.
This infection was a little stubborn but it decided to give up.
If you should run into trouble again then you know where to find us.

Until then - Matthew :whistling:
  • 0

Advertisements

#56
kahdah
Posted 04 September 2007 - 07:00 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Edited by kahdah, 04 September 2007 - 07:02 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP