Avast WEBforum
Other => Viruses and worms => Topic started by: Paul14 on July 26, 2006, 10:52:53 AM
-
i hve tried a few things and cant get rid of this virus i hve tried a few scanners and they all hve diff names for it or them im not really sure but i got a hijackthis log file and would be greatful for some help thanks
Logfile of HijackThis v1.99.1
Scan saved at 6:34:54 PM, on 26/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\paul\My Documents\hijackthis\hijackthis\HijackThis.exe
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl05a\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: MSCOMM32.EXE
O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153896615390
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Documents and Settings\bin\iPodService.exe
ne help would be great thanks
-
can you relate some of the problems you are having .
can you tell us what scans you have done and who detected what and where it was located?
these are important questions . scan again if you forgot or ignored the responses.
-
i hve tried a few things and cant get rid of this virus
What have you tried ?
What virus ?
How was it detected, what detected it or what makes you think/suspect you have a virus, symptoms, etc. The more information you can give us the better.
Here is an on-line analysis of your log file http://hijackthis.de/logfiles/060bca3e8ae0f0b2e7d8aab7f5c58ea7.html
O4 - Global Startup: MSCOMM32.EXE is listed as unknown, what do you know about it
A google search for this indicates a trojan backdoor (MSCOMM32.EXE is Trojan/Backdoor BBQ, AKA TROJ SMALL.BBQ) and considering you don't appear to have an active firewall present you will be fighting an uphill battle to get clean. So you should tick fix in HJT.
See Troj_Small.BBQ info (http://www.trendmicro.com.au/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&VName=TROJ_SMALL.BBQ)
-
:) Hi Paul :
HijackThis logs are best analyzed by Experts on
antiSPYWARE forums; however, since you do not appear
to have an antispyware program ( Ewido is antiTROJAN ),
I recommend the Experts at www.landzdown.com .
By the way, your Sun Java program is 4 Updates behind;
therefore, it is a serious security risk . It should be
uninstalled, then go to www.java.com & get their latest .
-
Yawn, sending Paul to landzdown isn't going to answer the questions we have asked to try and help him also, what questions or advice have we offered Paul that is sooooo wrong.
-
This is the problem MSCOMM32.EXE
See here http://www.greatis.com/appdata/d/m/mscomm32.exe_Removal.htm
-
That removal link isn't a removal tool but an invitation to buy RegRun. I don't like that tactic, give the person a headache (tell them whats wrong) and then sell them an asprin.
-
thanks for ur help every1 so far the infected file is C:\windows\system32\iedld.dll says it is infected with trojan.gen (other) this is using avast
some of the symptoms r the computer doesnt like to open a lot of programs it just crashes freezes up a bit is pretty slow now to
um i hve tried just bout every free malware removal program i can find used some of the online scanners they found this virus and others but cannot remember the names of the viruses
i ran another scan with hijackthis and i cannot find mscomm32.exe ne more
once again thanks very much for ur help so far
-
the latest is avast resident scanner is no longer workin
-
try running a boot time scan . check your help files for how .
move anything detected to chest , post back if you have any problems.
have you tried digging down to system32 file and deleting the dll file manually?
you can scan the file with multiple scanners to get a broader opinion at http://virusscan.jotti.org/ good luck
-
the latest is avast resident scanner is no longer workin
What is the error message?
Why does avast stop working?
-
hve run boot scan a few times and keep either deleting or moving to the chest but still comes back cannot find the file to delete it manually
the avast msg is "The AAVM subsystem detected a RPC error."
as u can prob tell im not that cluey bout this sort of stuff so what ever u reccomend to do try dumb it down a bit so i can understand thanks for ur help
-
hve run boot scan a few times and keep either deleting or moving to the chest but still comes back cannot find the file to delete it manually
It should be enough using the boot time scanner.
Anyway, if a virus is replicant (coming and coming again), you should, besides scheduling a boot time scanning with avast,
1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Clean your temporary files.
3) Use a-squared or ewido (trojan removers).
the avast msg is "The AAVM subsystem detected a RPC error."
Do you have any other antivirus in this computer?
-
i am not the administrator on the comp but when i run disk clean up does it clean every1s temp files or just mine if so how do i clean them and where do i find a-squared thanks
-
AAVM subsytem detected and RPC error. http://www.avast.com/eng/faq-other-questions.html#idt_1539
-
That removal link isn't a removal tool but an invitation to buy RegRun. I don't like that tactic, give the person a headache (tell them whats wrong) and then sell them an asprin.
No that was just a link to describe the problem
-
That removal link isn't a removal tool but an invitation to buy RegRun. I don't like that tactic, give the person a headache (tell them whats wrong) and then sell them an asprin.
No that was just a link to describe the problem
What I referred to was this 'greatis.com/appdata/d/m/mscomm32.exe_Removal.htm' it makes it look like a removal link when there is very little information about the problem:
Dangerous MSCOMM32.EXE - Dangerous
mscomm32.exe
MSCOMM32.EXE is Trojan/Backdoor BBQ.
Kill the process MSCOMM32.EXE and remove MSCOMM32.EXE from Windows startup using RegRun Reanimator.
So there is virtually no information and is really trying to get you to buy RegRun to resolve the problem.
-
Oops wrong link, I was looking at 3 or 4 at the time http://www.trendmicro.com.au/enterprise/vinfo/encyclopedia.php?LYstr=VMAINDATA&vNav=1&VName=TROJ_SMALL.BBQ that was the one I meant to drop sorry
-
Which was the one I gave in reply #2 but with a meaningful name Troj_Small.BBQ info ;D ;D
-
hey guys i got rid of the trojan thanks every1 for ur help but now im hvin other issues i tried to update java as some1 said but it said the computer is runnin in safe mode when i had to download activex components i hve also had the same error tryin to update windows i got an error code and had a look round and it also said the computer is runnin in safe mode and avast still wont work am gettin the same error msg
scanning with ewido now says i am infected wih downloader.small.cjv in these files
c:\w.exe
c:\windows\lb.exe
and also infected with backdoor.shbot.b in these files
c:\windows\system\svchostw.exe
c:\windows\system\svchostw.dll
c:\windows\system\svchctrl.exe
c:\windows\system\regserv.exe
c:\windows\system\regserv.dll
what do i do with these files can i just delete them i removed some of the last ones from startup with hijackthis thanks guys
-
Hello, Paul14.
Open up the ewido program again.- The program will prompt you to update, click the "OK" button
- The program will now go to the main screen
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update
- Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
Now, open up HijackThis again, Do a system scan only, and when it finishes, place a check before the following lines if present:
O4 - Global Startup: MSCOMM32.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
Then make sure ALL windows are closed except HijackThis and hit the "Fix checked" button.
You may want to print out the following instructions as you will not have internet access from Safe Mode:
Now, boot the computer into Safe Mode. Click here (http://www.bleepingcomputer.com/tutorials/tutorial61.html) for instructions on how to boot into Safe Mode.
In Safe Mode, navigate to C:\WINDOWS\System32 and delete the file named sistray.exe if present.
Now, click "Start", then click on "Search", then click "All files and folders". Then click "More advanced options". Place a check in the boxes by "Search system folders", "Search hidden files and folders", and by "Search subfolders". Now, in the top box, type in MSCOMM32.EXE and hit the "Search" button. Let it search the system and when it finds the file, right-click on that file only and then click "Delete". Then click "Yes" to confirm the file deletion.
Still in Safe Mode, open ewido again.
Note: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- Ewido will now begin the scanning process. Be patient this may take a little time.
Once the scan is complete do the following:
- If you have any infections you will prompted, chose to have ewido fix them, then select "Apply to all actions"
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your desktop.
- Close Ewido and reboot your system back into Normal Mode.
Run HijackThis again from Normal Mode now, and this time save a logfile and post it back here along with the ewido report that you saved. I need to see the entire ewido report.
-
scanning with ewido now says i am infected wih downloader.small.cjv in these files
c:\w.exe
c:\windows\lb.exe
and also infected with backdoor.shbot.b in these files
c:\windows\system\svchostw.exe
c:\windows\system\svchostw.dll
c:\windows\system\svchctrl.exe
c:\windows\system\regserv.exe
c:\windows\system\regserv.dll
what do i do with these files can i just delete them i removed some of the last ones from startup with hijackthis thanks guys
The common factor for most of these is that are in the system folders and you (read the malware) need permissions/admin rights to do this.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.