Avast WEBforum

Other => Viruses and worms => Topic started by: ekhart on November 03, 2006, 02:09:25 PM

Title: 4 Trojan virus, help me please ? [cleaned, thanks a lot essexboy and all of you]
Post by: ekhart on November 03, 2006, 02:09:25 PM

Hello, world, and thanks for taking time to read this =)

For 3 days, now avast! detected 4 Trojan in a file named MMS Assist. In my opinion, I should delete the whole file but for some reason, I can't. The program says that it's already used by something else and even when I re-start the computer to scann it, the file isn't deleted.
Here is what avast! says :

Sign of "Win32:Adware-gen.

[Adw]" has been found in "C:\PROGRA~1\MMSASS~1\mmsass~1.dll" file. 
Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Program Files\MMSAssist\mmssver.dll" file. 
Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Program Files\MMSAssist\mmsass~1.dll" file. 
Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\MMSAssist\albus.dll" file.  [/list]

I localised the file already but didn't open yet, what should I do, please ?

Title: Re: 4 Trojan virus, help me please ?
Post by: DavidR on November 03, 2006, 02:28:19 PM

Don't rush, read the whole post before taking any action.

Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can't delete or move files in use. So schedule boot-time scan in avast's menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn't in use and avast should be able to deal with it.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

This does seem to be adware/malware as a google search for MMSAssist http://www.google.co.uk/search?q=MMSAssist returns many hits, as do searches for the associated file names.

If you are unable to move them to the chest in normal windows use then use the boot-time scan mentioned above. Still choose the option to move to the chest rather than delete.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 03, 2006, 07:13:34 PM

You have the Borlan Trojan this inludes a rootkit element.  Currently the only removal method I know for this is Prevx
http://www.prevx.com/

If you wish I can take you through the cleaning of this Nasty (I am currently an upperclassman at Geek U )

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 04, 2006, 01:57:05 AM

You have to know, DavidR, that I already looked on google to see what or who could help. And I came here in last ressort.

Thanks a lot essexboy, I accept your help with all my gratitude. Prevx localised all the files and "moved them to  safety except " C:\Program Files\MMSAssist\mmsass~1.dll " which is not moved but not allowed to run either.

Do you want me to send you my e-mail or will you help me from here ?

Title: Re: 4 Trojan virus, help me please ?
Post by: Lisandro on November 04, 2006, 04:00:44 AM

Quote from: ekhart on November 03, 2006, 02:09:25 PM

For 3 days, now avast! detected 4 Trojan in a file named MMS Assist. In my opinion, I should delete the whole file but for some reason, I can't. The program says that it's already used by something else and even when I re-start the computer to scann it, the file isn't deleted.

Did you try to scan at boot time or just restart the computer?
I suggest that you run a boot time scanning with avast: Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

It won't harm if:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
    Then after step four, enable it again.
2) Clean your temporary files.
3) Use a-squared (http://www.emsisoft.com/en/software/free/), Free AVG Antispyware (http://www.ewido.net/en/), SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/) (trojan removers).

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 04, 2006, 12:24:15 PM

Hi Ekhart
Do it from here, I am currently working on a similar problem at geek U so I can run you in tandem

Could you please post a HJT log for my perusal,  Borlan is nasty and hard to get rid off but it can be done  ;D

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 04, 2006, 12:42:16 PM

Off out now for a few hours but should be back by this evening

Title: Re: 4 Trojan virus, help me please ?
Post by: FreewheelinFrank on November 04, 2006, 12:51:33 PM

Hi essexboy,

For future reference, can Borlan still be removed by disabling the rootkit service as described here:

http://www.symantec.com/security_response/writeup.jsp?docid=2005-112111-0409-99&tabid=3

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 04, 2006, 02:57:34 PM

Quote from: Tech on November 04, 2006, 04:00:44 AM

Did you try to scan at boot time or just restart the computer?
I suggest that you run a boot time scanning with avast: Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

More than 3 times already.

Hi, Essexboy,

I had to search a bit to see what you meant -as I'm not a natural English speaker, it's difficult to understand professional linguage- but here it is:

Holding cell :

C:\WINDOWS\SYSTEM32\ALSMT.EXE
C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
C:\PROGRAM FILES\MMSASS~1\MMSASS~1.DLL

Jail :

C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGGCENGINE.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGCENGINE.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGIEPROCESS.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGNSENGINE.DLL
C:\PROGRAM FILES\ERROR SAFE FREE\EMPTYERSF.EXE
C:\DOCUMENTS AND SETTINGS\MICHELLE\LOCAL SETTINGS\TEMP\ERRORSAFESCANNERSETUP.EXE
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GAPPMGR.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\GATORSTUBSETUP.EXE
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GMTPROXY.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GMTPROXY.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GSTORE.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GSTORESERVER.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GTOOLS.DLL
C:\DOCUMENTS AND SETTINGS\LEILA\LOCAL SETTINGS\TEMP\INSTALLBO-FSG.EXE
C:\DOCUMENTS AND SETTINGS\LEILA\LOCAL SETTINGS\TEMP\INSTALLMNL-FSG.EXE
C:\PROGRAM FILES\MIDNIGHT LAKE SCREENSAVER\MIDNIGHTLAKE.EXE
C:\PROGRAM FILES\MIDNIGHT LAKE SCREENSAVER\ML1UNINSTALLER.EXE
C:\WINDOWS\SYSTEM32\UNINSTALLMNL.EXE

Title: Re: 4 Trojan virus, help me please ?
Post by: Lisandro on November 04, 2006, 03:01:43 PM

Quote from: ekhart on November 04, 2006, 02:57:34 PM

More than 3 times already.

And what about:
1) Disabling System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Cleanning your temporary files.
3) Using a-squared (http://www.emsisoft.com/en/software/free/), Free AVG Antispyware (http://www.ewido.net/en/), SUPERantispyware (http://www.superantispyware.com) or Spyware Terminator (http://www.spywareterminator.com/) (trojan removers).

Title: Re: 4 Trojan virus, help me please ?
Post by: SNOWHITE on November 04, 2006, 04:05:33 PM

Quote

Could you please post a HJT log for my perusal,  Borlan is nasty and hard to get rid off but it can be done   ;D

Hi ekhart  ;)
Please follow the instructions from essexboy about posting HJT, he will help you but first you will need to post Hijackthis log. Click on this link http://www.thespykiller.co.uk/html/downloads.html and download "Hijackthis" Self installer, then Run HJT and click "Do a system scan and save a log file" when the scan will be finished copy and paste the content of the report to this thread. Do Not Fix anything with HJT !

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 04, 2006, 07:22:29 PM

Hello Snowhite, thanks for that I forgot to put it in 

Quote

For future reference, can Borlan still be removed by disabling the rootkit service as described here:

FF the other system I was working on Borlan defeated Gmer, and Sophos anti-rootkit tools and at one stage I was pulling my hair out in frustration as it even defeated Prevx. But he is clean now as currently Icesword and one other tool I have in reserve can beat it.  Anyway back on track, I always do the cleanup when I am sure my client is clean and not before.

Ekhart when you get the HJT log please post it here and I will see what is remaining.  No problem with the language as if neither us is sure we can always ask  ;D

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 04, 2006, 08:10:28 PM

Allright, I'm sorry to be the cause of so much troubles... Thanks a lot Snowhite, and here it the stuff :

Logfile of HijackThis v1.99.1
Scan saved at 20:08:54, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Leïla Chihab\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://haschishin.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [FSASWREG] "C:\Program Files\Securitoo\Av_Fw\Anti-Spyware\fsaswreg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Fichiers communs\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item:   >> ²ÊÐÅ·¢ËÍ << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O8 - Extra context menu item: Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ¿áÈÈÓ°Òô - {7D73FF86-05F1-39ed-C850-A423120EC338} - www.kuree.com/index.htm?id=00011001 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 04, 2006, 08:11:04 PM

Looking now

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 04, 2006, 08:22:02 PM

Close to good, for this I will need you to disable Prevx.  To do this right click the GREEN ball in your system tray and select exit.  Say ok to the warning then :

RePlease re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O9 - Extra button: ¿áÈÈÓ°Òô - {7D73FF86-05F1-39ed-C850-A423120EC338} - www.kuree.com/index.htm?id=00011001 (file missing)
O8 - Extra context menu item:   >> ²ÊÐÅ·¢ËÍ << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.


Please download the Killbox by Option^Explicit (http://www.downloads.subratam.org/KillBox.exe).

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
  
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
  
• Click the red-and-white Delete File button.  Click Yes at the Delete on Reboot prompt.  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.

Please repost a new HJT when complete and I will re-assess

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 04, 2006, 09:02:53 PM

I just did it and restarted my computer and, while I was using Killbox, I didn't recieve any message at all -I guess it's good?

Logfile of HijackThis v1.99.1

Scan saved at 21:01:07, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Leïla Chihab\Bureau\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://haschishin.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [FSASWREG] "C:\Program Files\Securitoo\Av_Fw\Anti-Spyware\fsaswreg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Fichiers communs\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 04, 2006, 10:53:14 PM

OK the MSASS is still there time to bring in the sledge hammer


Please download Boran Remover from one of the following places and save it to your Desktop:
http://download.bleepingcomputer.com/sUBs/boran-remover.exe
http://www.techsupportforum.com/sectools/boran-remover.exe
Close all open windows.
Double-click boran-remover.exe to start the tool.
Your computer will reboot if an infection is found.
If the tool is unable to neutralize the infection, it will reboot again for another attempt.
When the tool is finished, it will save a log called boran.log in the boran-remover folder on your Desktop.

Next  to clean the Baidu toolbar

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com (http://download.bleepingcomputer.com/sUBs/combofix.exe)

* techsupportforum.com  (http://www.techsupportforum.com/sectools/combofix.exe)

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


If you could then repost another HJT, combofix log  and the Boran log  ;D  If the combofix log is too large then post it in seperate pieces  ;D

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 05, 2006, 10:52:39 AM

Allright, I've just done that.

Logfile of HijackThis v1.99.1
Scan saved at 10:49:37, on 05/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Leïla Chihab\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://haschishin.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [FSASWREG] "C:\Program Files\Securitoo\Av_Fw\Anti-Spyware\fsaswreg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Fichiers communs\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 05, 2006, 10:53:55 AM

I'm afraid I have to post again

Boran Remover :: 2006-10-19 :: 20
----------------------------------------------------------------
Run by Le‹la Chihab :: 05/11/2006 @ 10:36:32,18

Found C:\WINDOWS\system32\drivers\albus.sys
Found C:\Program Files\MMSAssist\mmsass~1.dll
Found C:\Program Files\MMSAssist\mmssver.dll

Rebooting...

Attempting to disable albus.sys...
Successful!

Attempting to remove files and directories:
 C:\WINDOWS\system32\almms.dat
 C:\WINDOWS\system32\alpst.dat
 C:\WINDOWS\system32\extern.ini
 C:\WINDOWS\system32\std.ini
 C:\WINDOWS\system32\stdd.ini
 C:\WINDOWS\system32\updadini.ini
 C:\WINDOWS\system32\updstdex.ini
 C:\WINDOWS\system32\updstdup.ini
 C:\Program Files\MMSAssist
 C:\WINDOWS\system32\exuppsh
 C:\WINDOWS\system32\stdcache
 C:\WINDOWS\system32\updadini
 C:\WINDOWS\system32\updstdex
 C:\WINDOWS\system32\updstdup . . . FAILED
 C:\WINDOWS\Temp\exuppsh
 C:\WINDOWS\Temp\inspst

Rebooting...

Attempting to disable albus.sys...
Unsuccessful; may still be active.

Attempting to remove files and directories:
 C:\WINDOWS\system32\drivers\Albus.SYS
 C:\WINDOWS\system32\Albus.DAT
 C:\WINDOWS\system32\alsmt.exe
 C:\WINDOWS\system32\std.ini
 C:\WINDOWS\system32\updadini
 C:\WINDOWS\system32\updstdex
 C:\WINDOWS\system32\updstdup

Unable to remove infection; giving up.

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 05, 2006, 10:54:23 AM

here is the combo fix

Le‹la Chihab - 06-11-05 10:46:12,76    Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Program Files\Mozilla Firefox"

(((((((((((((((((((((((((((((((   Files Created from 2006-10-05 to 2006-11-05  ))))))))))))))))))))))))))))))))))
 
 
2006-11-04   01:05   9,728   --a------   C:\WINDOWS\system32\drivers\pxscinst.dll
2006-11-04   01:05   7,680   --a------   C:\WINDOWS\system32\drivers\pxinst.dll
2006-11-04   01:05   7,552   --a------   C:\WINDOWS\system32\drivers\pxcom.sys
2006-11-04   01:05   272,256   --a------   C:\WINDOWS\system32\drivers\pxfsf.sys
2006-11-04   01:05   18,560   --a------   C:\WINDOWS\system32\drivers\pxtdi.sys
2006-11-04   01:05   13,568   --a------   C:\WINDOWS\system32\drivers\pxrd.sys
2006-11-04   01:05   11,648   --a------   C:\WINDOWS\system32\drivers\pxscrmbl.sys
2006-11-04   01:05   100,864   --a------   C:\WINDOWS\system32\drivers\PxEmu.sys
2006-10-19   11:54   118,784   --a------   C:\WINDOWS\system32\jetspeed.dll
2006-10-17   20:14   61,440   --a------   C:\WINDOWS\system32\stdstub.dll
2006-10-17   20:14   51,712   --a------   C:\WINDOWS\system32\albus.dll
2006-10-17   20:14   49,152   --a------   C:\WINDOWS\system32\stdvote.dll
2006-10-17   20:14   32,768   --a------   C:\WINDOWS\system32\stdplay.dll
2006-10-17   20:14   106,496   --a------   C:\WINDOWS\system32\stdupnet.dll


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))   


2006-11-05 10:45   --------   d--------   C:\Program Files\Mozilla Firefox
2006-11-05 10:38   --------   d--------   C:\Program Files\Prevx1
2006-11-05 10:30   --------   d--------   C:\Program Files\Mozilla Thunderbird
2006-11-04 20:11   --------   d--------   C:\Documents and Settings\Le‹la Chihab\Application Data\Adobe
2006-11-04 01:54   --------   d--------   C:\Documents and Settings\Le‹la Chihab\Application Data\Prevx
2006-11-04 01:47   --------   d--------   C:\Program Files\Midnight Lake Screensaver
2006-11-04 01:46   --------   d--------   C:\Program Files\Error Safe Free
2006-11-01 17:31   --------   d--------   C:\Program Files\FlashGet
2006-10-28 21:50   --------   d--------   C:\Program Files\The Adventure Company
2006-10-28 18:59   --------   d--------   C:\Program Files\Infofo Bar
2006-10-28 18:59   --------   d--------   C:\Program Files\Google
2006-10-28 00:34   --------   d--------   C:\Documents and Settings\Le‹la Chihab\Application Data\Wannadoo
2006-10-28 00:24   --------   d--------   C:\Program Files\MSN Messenger
2006-10-08 12:07   --------   d--------   C:\Program Files\OpenOffice.org 2.0
2006-10-08 11:53   --------   d--------   C:\Documents and Settings\Le‹la Chihab\Application Data\OpenOffice.org2
2006-09-25 16:45   666240   --a------   C:\WINDOWS\system32\aswBoot.exe
2006-09-25 16:40   87424   --a------   C:\WINDOWS\system32\drivers\aswmon2.sys
2006-09-25 16:40   85952   --a------   C:\WINDOWS\system32\drivers\aswmon.sys
2006-09-25 16:39   36176   --a------   C:\WINDOWS\system32\drivers\aswTdi.sys
2006-09-25 16:39   16352   --a------   C:\WINDOWS\system32\drivers\aswRdr.sys
2006-09-25 16:37   90112   --a------   C:\WINDOWS\system32\AVASTSS.scr
2006-09-25 16:37   24560   --a------   C:\WINDOWS\system32\drivers\aavmker4.sys
2006-09-13 06:03   1084416   --a------   C:\WINDOWS\system32\msxml3.dll
2006-08-25 16:51   617472   --a------   C:\WINDOWS\system32\comctl32.dll
2006-08-21 13:26   16896   --a------   C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14   23040   --a------   C:\WINDOWS\system32\fltmc.exe
2006-08-16 12:59   100352   --a------   C:\WINDOWS\system32\6to4svc.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"Aim6"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"hpWirelessAssistant"="C:\\Program Files\\hpq\\HP Wireless Assistant\\HP Wireless Assistant.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"eabconfg.cpl"="C:\\Program Files\\HPQ\\Quick Launch Buttons\\EabServr.exe /Start"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"BO1HelperStartUp"="C:\\PROGRA~1\\BUTTER~1\\BO1HEL~1.EXE /partner BO1"
"FSASWREG"="\"C:\\Program Files\\Securitoo\\Av_Fw\\Anti-Spyware\\fsaswreg.exe\""
"TkBellExe"="\"C:\\Program Files\\Fichiers communs\\Real\\Update_OB\\realsched.exe\"  -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"HostManager"="C:\\Program Files\\Fichiers communs\\AOL\\1154804588\\ee\\AOLSoftware.exe"
"IPHSend"="C:\\Program Files\\Fichiers communs\\AOL\\IPHSend\\IPHSend.exe"
"PrevxOne"="\"C:\\Program Files\\Prevx1\\PXConsole.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Ma page d'accueil"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-chargeur Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Démon de cache des catégories de composant"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"webwork"="{4C611512-2C1D-44b2-A044-872AD2AD5A61}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]   
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-05 10:47:48.07
C:\ComboFix.txt ... 06-11-05 10:47

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 05, 2006, 02:21:23 PM

Ok Borlan is now proving to be a pain you must have one of the later versions so I will try another tool to kill it.

First disable Prevx by going Start>run then type in MSconfig press enter.  On the dialogue that appears got to start up and remove the ticks next to all related Prevx items. then Apply.  On restart a dialogue will appear just tick do not show this again

First re-run Killbox again 

• Please double-click Killbox.exe to run it.
  
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\updstdup
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
  
• Click the red-and-white Delete File button.  Click Yes at the Delete on Reboot prompt.  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try Killbox again.

We will now use  the latest version of combofix, combofix new link is http://download.bleepingcomputer.com/sUBs/...aB/combofix.exe save to your desktop

Could you please download and run via the start > run box pasting in "%userprofile%\desktop\combofix.exe" /wow-drv albus

Be advised it took about 8 goes to finally kill it in my last encounter. But it can be killed....

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 05, 2006, 04:45:32 PM

Quote

First disable Prevx by going Start>run then type in MSconfig press enter.  On the dialogue that appears got to start up and remove the ticks next to all related Prevx items. then Apply.  On restart a dialogue will appear just tick do not show this again

Please, what do you mean ? Do I have to start Prevx to find this menu ?

(And, I'm sorry, but there's a lot of virus which are coming since I'm following your advises. As Avast! seems to be able to take care of these, it's not a real problem but still it's quite annoying... is it normal ?)

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 05, 2006, 04:53:21 PM

I have just noticed you do not appear to have a firewall is this correct.  If so please download ZAFree from here  http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp 

Quote

(And, I'm sorry, but there's a lot of virus which are coming since I'm following your advises. As Avast! seems to be able to take care of these, it's not a real problem but still it's quite annoying... is it normal ?)

No it is not unless they are dcom exploits being blocked

Quote

Please, what do you mean ? Do I have to start Prevx to find this menu ?

No, it is the windows start button press that and on the right you will see an icon marked run.  Select that and then type msconfig on the box that appears then press enter 

This is the same place that you will need to paste the following when you get the lates version of combofix

Quote

"%userprofile%\desktop\combofix.exe" /wow-drv albus

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 05, 2006, 06:11:32 PM

Quote from: essexboy on November 05, 2006, 02:21:23 PM

We will now use  the latest version of combofix, combofix new link is http://download.bleepingcomputer.com/sUBs/...aB/combofix.exe save to your desktop

Could you please download and run via the start > run box pasting in "%userprofile%\desktop\combofix.exe" /wow-drv albus

Be advised it took about 8 goes to finally kill it in my last encounter. But it can be killed....

Hm, that link doesn't exist : 404 file not found :/

Thanks for warning me. I was begining to desespair but, could you please tell me what dos combofix ? I'm following your advises as if I were blind, but I trust you.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 05, 2006, 06:18:03 PM

Combo fix cures a variety of malware items in one go rather than dowloading 4 or 5 tools to do the same job. Plus it also shows me recently added files which may be associated with known malware and any new malware files.  I will recheck the link with the author to confirm it is correct.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 05, 2006, 06:24:01 PM

As an Interim fix while I wait for a reply please reboot into safe mode
 Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Then run the Boran removal tool again

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 06, 2006, 07:56:23 PM

Here:

06/11/2006 @ 19:49:09,29

Found C:\WINDOWS\system32\drivers\albus.sys

Rebooting...

Attempting to disable albus.sys...
Unsuccessful; may still be active.

Attempting to remove files and directories:
 C:\WINDOWS\system32\drivers\Albus.SYS . . . FAILED
 C:\WINDOWS\system32\Albus.DAT . . . FAILED
 C:\WINDOWS\system32\alsmt.exe . . . FAILED
 C:\WINDOWS\system32\std.ini . . . FAILED
 C:\WINDOWS\system32\stdd.ini . . . FAILED
 C:\WINDOWS\system32\updadini.ini
 C:\WINDOWS\system32\updstdex.ini
 C:\WINDOWS\system32\updstdup.ini . . . FAILED
 C:\WINDOWS\system32\stdcache
 C:\WINDOWS\system32\updadini
 C:\WINDOWS\system32\updstdex
 C:\WINDOWS\system32\updstdup . . . FAILED

Rebooting...

Attempting to disable albus.sys...
Unsuccessful; may still be active.

Attempting to remove files and directories:
 C:\WINDOWS\system32\drivers\Albus.SYS . . . FAILED
 C:\WINDOWS\system32\Albus.DAT . . . FAILED
 C:\WINDOWS\system32\alsmt.exe . . . FAILED
 C:\WINDOWS\system32\std.ini . . . FAILED
 C:\WINDOWS\system32\stdd.ini . . . FAILED
 C:\WINDOWS\system32\updstdup.ini . . . FAILED
 C:\WINDOWS\system32\updstdup . . . FAILED

Unable to remove infection; giving up.

Title: Re: 4 Trojan virus, help me please ?
Post by: Lisandro on November 06, 2006, 08:44:30 PM

Did you try avast boot time scanning?
Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 06, 2006, 10:58:54 PM

Please download Sophos anti rootkit http://www.sophos.com/products/free-tools/sophos-anti-rootkit/download/ filling in the requested details at the bottom of the page and then clicking submit, this will then take you to the download page . 

Then run the programme it will create a folder in C:\sophtemp locate the file sarqui and run.  When the programme has finished go to START > RUN and paste in the following into the window %TEMP%\sarscan.log and click OK to execute.

 A textfile will open. Save it to your desktop

Rename Killbox.exe to Gotcha.exe by right clicking the file and selecting re-name

• Please double-click Gotcha.exe to run it.
  
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\drivers\Albus.SYS
   C:\WINDOWS\system32\Albus.DAT
   C:\WINDOWS\system32\alsmt.exe
   C:\WINDOWS\system32\std.ini
   C:\WINDOWS\system32\stdd.ini
   C:\WINDOWS\system32\updadini.ini
   C:\WINDOWS\system32\updstdex.ini
   C:\WINDOWS\system32\updstdup.ini
   C:\WINDOWS\system32\stdcache
   C:\WINDOWS\system32\updadini
   C:\WINDOWS\system32\updstdex
   C:\WINDOWS\system32\updstdup
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
  
• Click the red-and-white Delete File button.  Click Yes at the Delete on Reboot prompt.  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.


Post the content of that file. 

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 09, 2006, 05:40:09 PM

Excuse me for that late replie due to my work. And, is it sarcli or sargui ?

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 09, 2006, 07:23:34 PM

No problem it is

Quote

SARGUI.  a blue shield icon

  I have been reviewing the recent successful removal of my last victim and you appear to have a later version than him which is why it seems, confusing to you.  I am having to try variations on a theme.  Chin up though it can be beaten.   8)

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 10, 2006, 06:37:43 PM

I can't start what doesn't exist ...

There's no SARQUI in it.
I'd like to send you a screencap to proove it but, unfortunatelly, the Inernet is being worse and slower than ever. I've been trying 10 times before that post can be sent~ it's pure luck when a window is open correctly.

and... there's now 26 programm in Prevx Jail or which aren't allowed to run by this programm.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 10, 2006, 08:35:26 PM

Look for the blue shield icon

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 11, 2006, 12:30:12 PM

To give you a feel for how bad this trojan is here is a small analysis

Quote

This infection uses multiple layers of protection to keep itself loaded. There is one driver and two services -- Albus (albus.sys), JMediaService (mmssver.dll), and StdService (stdsver.dll). Albus watches itself and the %programfiles%\MMSAssist directory (where JMediaService lives). StdService will regenerate missing pieces of this infection. Trying to stop any of the three services using normal means is futile. You cannot delete any of the critical files while the infection is active. Additionally, Albus watches for registry changes against itself and will block changes. This can lead to a deadlock if you try to edit the registry to remove it while it is active.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 11, 2006, 12:47:01 PM

There is now an updated version of the boran removal tool at http://deckard.be/tools/beta/boran-remover-26.exe Please download and run

Close all open windows.
Double-click boran-remover-26.exe to start the tool.
Your computer will reboot if an infection is found.
If the tool is unable to neutralize the infection, it will reboot again for another attempt.
When the tool is finished, it will save a log called boran.log in the boran-remover folder on your Desktop. Please include this log with your next post.

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 11, 2006, 06:40:10 PM

Found C:\WINDOWS\system32\drivers\albus.sys
Found C:\WINDOWS\system32\stdupnet.dll

Rebooting...

Attempting to disable albus.sys...
Successful!

Attempting to remove files and directories:
 C:\WINDOWS\system32\albus.dll
 C:\WINDOWS\system32\alstd.dat
 C:\WINDOWS\system32\std.ini
 C:\WINDOWS\system32\stdact.ini
 C:\WINDOWS\system32\stdd.ini
 C:\WINDOWS\system32\stdplay.dll
 C:\WINDOWS\system32\stdstub.dll
 C:\WINDOWS\system32\stdup.uni
 C:\WINDOWS\system32\stdupnet.dll
 C:\WINDOWS\system32\stdvote.dll
 C:\WINDOWS\system32\updstdup.ini
 C:\WINDOWS\system32\exupstd
 C:\WINDOWS\system32\stdcache
 C:\WINDOWS\system32\updadini
 C:\WINDOWS\system32\updstdex
 C:\WINDOWS\system32\updstdup
 C:\WINDOWS\Temp\insshell
 C:\WINDOWS\Temp\winnt1

Searching for possible unknown Boran files
Not all files listed will be bad - do not remove unless instructed!
C:\WINDOWS\system32\drivers\aliide.sys
C:\WINDOWS\system32\spool\drivers\color\stdpyccl.icm

Cleaning Registry...
Done!

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 11, 2006, 08:27:06 PM

Excellent please now post a new HJT log  ;D

Title: Re: 4 Trojan virus, help me please ?
Post by: galooma on November 11, 2006, 09:44:24 PM

nice work EB  ;)

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 11, 2006, 11:35:23 PM

Ah Clossau I had practice on my last victim which prepared me for several failures before success.  All I should need to do now is tidy up and delete the restore points

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 14, 2006, 05:59:35 PM

Scan saved at 22:52:19, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Leïla Chihab\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://haschishin.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [FSASWREG] "C:\Program Files\Securitoo\Av_Fw\Anti-Spyware\fsaswreg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Fichiers communs\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)


Once again, sorry for the late and thanks for taking care of me *bows* I'm in your debt!

Title: Re: 4 Trojan virus, help me please ?
Post by: Spiritsongs on November 14, 2006, 07:07:07 PM

 :)  Hi all :

     I have seen several Malware Experts on a couple of antiSPYWARE Support forums
     recommend "renaming" HijackThis.exe because some malware will "hide" from it;
     have not seen any such recommendation on renaming Killbox .
     At this point in time IF you are malware-free, would be appropiate to "update"
     your Sun Java, since it is 3 "Updates" behind & a serious security risk. Therfore,
     should uninstall ALL versions you have and can get the latest version by going to
     www.majorgeeks.com/download4648.html .
     In addition, your "Flashget" is considered "Adware" according to www.spywareguide.com;
     there are adware-free alternative(s), which have been discussed on Avast forums.

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 14, 2006, 07:25:08 PM

Hi Ekhart you are now as near squeaky clean as can be and you can now be a recipient of my keep you clean spiel. Thank you for allowing me to help you   ;D  I would ask you to be aware that the Oasis screensaver (freeversion) does include GAIN adware

First your Java is a little out of date so I recommend uninstalling your current Java and dowloading the latest version from here http://www.majorgeeks.com/download.php?det=4648

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS 
5. Select the More Options Tab.
6. At the bottom will be  a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done


The following is a list of tools and utilities that I use and like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.[list=1]

• AVG Anti-Spyware from HERE (http://www.ewido.net/en/download/)  A free on demand scanner for malware and trojans
  
  
• AdAware (http://www.lavasoftusa.com/) - Another very powerful on demand tool which searches and kills nasties that infect your system.
  
  
• Windows defender  (http://www.microsoft.com/downloads/details.aspx?FamilyId=435BFCE7-DA2B-4A6A-AFA4-F7F14E605A0D&displaylang=en) a resident antispyware guard
   
  
• SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Great prevention tool to keep nasties from installing on your system.
  
  
• Crapcleaner (http://www.ccleaner.com/download/) this can be set to clear your temp files on start-up. Not as thorough as Cleanup but it is set and forget.
  
  
• IE7 (http://www.microsoft.com/windows/ie/downloads/default.mspx) a stable and more secure browser with the added bonus of tabs
  
  
  
• Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft.  To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  
  
• Google Toolbar (http://toolbar.google.com/) - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  
  
• Trillian (http://www.trillian.cc) or Miranda-IM (http://www.miranda-im.com) - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program!  (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this (http://computercops.biz/postlite7736-.html) article by Tony Klein

Title: Re: 4 Trojan virus, help me please ?
Post by: essexboy on November 14, 2006, 07:29:30 PM

Quote

I have seen several Malware Experts on a couple of antiSPYWARE Support forums
     recommend "renaming" HijackThis.exe because some malware will "hide" from it;
     have not seen any such recommendation on renaming Killbox .

Unfortunately with this piece of nasty work it sometimes helps - see the brief precis of how it works a few posts prior to this.  Renaming it may have enabled  the deletion of one of the infectors

Title: Re: 4 Trojan virus, help me please ?
Post by: ekhart on November 20, 2006, 07:34:59 PM

Hi there! I am the one who should thank you, essexboy, I'm sure you know that ^^
There, I've downloaded some of these programms, and will be sure to install the others soon, thanks for giving me that, I really don't know what I should do to proove you my gratitude therefore, I'll be here to help you or anything else if you even need me.

Merci beaucoup ! *bow*

Title: Re: 4 Trojan virus, help me please ? [cleaned, thanks a lot essexboy and all of you]
Post by: essexboy on November 20, 2006, 11:34:34 PM

I'm just sorry it was so stubborn to remove, but you are welcome.  Here to help

Title: Re: 4 Trojan virus, help me please ? [cleaned, thanks a lot essexboy and all of
Post by: polonus on November 21, 2006, 12:22:45 AM

Hi essexboy,

This should have been something to throw dotomyco at:
Description:
Dotomyco has come about as a Removal Tool for Backdoor.Agent.AC (f-prot, avp,...) for instance: Backdoor.Agent.B (symantec)  -specially designed for **xy=Rundll32 xy.dll,StreamingDeviceSetup, about:blank or AppInit_DLLs=xyc.dll)- , then it was rather quicly recompiled as a general tool to aid the removal of various Browser-Hijackers.
At the moment it is still in BETA, and should be used ONLY in combination with CWShredder & HijackThis!
- The tool was motivated by "free crap"
2005-02-16: Updated BHO-List
2005-02-22:cll. Bugfix

Build-History: (1.0.0 ... 1.0.4h), 1.0.4i, (1.0.4j), 1.0.4k, 1.0.4l

Features: (1.0.4l)

    * Scanns Memory, Processes, BHO, NT-Services, Run-Keys, AppInit_DLLs, Hosts-Files,
    * ...and removes all it finds naturally (after a restart)
    * Pattern-Scanner, various Blacklists
    * Able to launch other Programs (pre-defined (HiJackThis, CWShredder, StartDreck) others as required)

Status: is developed further

Download here: http://www.niksoft.at/php/dl.php?f=dotomyco.zip
(64.294 Bytes) md5: 872ed5a14d6e4f59d34415ca05da47fa

Use whenever appropriate,

polonus

Title: Re: 4 Trojan virus, help me please ? [cleaned, thanks a lot essexboy and all of you]
Post by: essexboy on November 21, 2006, 07:50:08 PM

Ta polonus downloaded to check out