Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: chinhis13 on June 19, 2007, 05:10:21 AM

Title: Problems with a virus
Post by: chinhis13 on June 19, 2007, 05:10:21 AM
Whenever I open the internet explorer,
there is always a virus called "Win.Small-EPO [trj].
from a website, [www.adxxxo.cn/bind_32.exe],
but i have never gone to this website..

Avast! 4 Home then will open a window tells me to click the disconnet button,
but after disconneted, another Win.Small-EPO[trj] is here again!

How to solve this problem? Thank you very much!
Title: Re: Problems with a virus
Post by: Lisandro on June 19, 2007, 05:17:04 AM
Strange, I couldn't find that site... neither the file of course.
I couldn't scan the file with Dr. Web or even test it...
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).
Title: Re: Problems with a virus
Post by: chinhis13 on June 19, 2007, 05:30:42 AM
Strange, I couldn't find that site... neither the file of course.
I couldn't scan the file with Dr. Web or even test it...
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

Thanks very much.
This condition only occurs in another account in my computer.
Where can I find the virus record from Avast?
Title: Re: Problems with a virus
Post by: chinhis13 on June 19, 2007, 05:40:57 AM
Strange, I couldn't find that site... neither the file of course.
I couldn't scan the file with Dr. Web or even test it...
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

Thanks very much.
This condition only occurs in another account in my computer.
Where can I find the virus record from Avast?

I have got it.

* VPS: 000749-1, 15/06/2007
*

hxxp://www.adonga.cn/233.exe\[Embedded#1]\[ASPack]\[Embedded#0f4664]\[Embedded#08040] [L] Win32:Adware-gen. [Adw] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)

These websites I have never gone before.
Title: Re: Problems with a virus
Post by: DavidR on June 19, 2007, 01:54:29 PM
Well it looks like you may have a trojan downloader on your system that is visiting the sites to download its payload. DrWeb link checker confirms 233.exe is infected although it doesn't detect anything for bind_50110.exe I would tend to believe the avast detection especially since 'you' didn't visit the site nor initiate the download.

You need to modify your post so the links aren't active to avoid accidental exposure, e.g. http :// www . adonga.cn /233.exe\ - http :// www . adonga.cn / bind_50110.exe

What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections and winXp's doesn't provide outbound protection.
Title: Re: Problems with a virus
Post by: mauserme on June 19, 2007, 02:05:02 PM
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
 
Double click combofix.exe and follow the prompts.
 
When finished, it shall produce a log for you. Post that log and a HiJackthis log (see instructions below) in your next reply
 
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.


Click here (http://www.thespykiller.co.uk/files/HJTsetup.exe) to download HJTsetup.exe
Title: Re: Problems with a virus
Post by: chinhis13 on June 19, 2007, 05:03:20 PM
Well it looks like you may have a trojan downloader on your system that is visiting the sites to download its payload. DrWeb link checker confirms 233.exe is infected although it doesn't detect anything for bind_50110.exe I would tend to believe the avast detection especially since 'you' didn't visit the site nor initiate the download.

You need to modify your post so the links aren't active to avoid accidental exposure, e.g. http :// www . adonga.cn /233.exe\ - http :// www . adonga.cn / bind_50110.exe

What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections and winXp's doesn't provide outbound protection.

I use Comodo Firewall.
Whenever I log into msn/open the internet explore, it will bring out a window to let me choose "accept/no".
If I like "NO", I couldn't surf to the net.
Title: Re: Problems with a virus
Post by: chinhis13 on June 19, 2007, 05:06:55 PM
Thanks for your help.
Title: Re: Problems with a virus
Post by: DavidR on June 19, 2007, 05:22:11 PM
Just a quick post I'm on my way out.

This is suspect no google hits, run HJT again and tick the Fix box to the left of the entry.
O2 - BHO: (no name) - {C74CDF30-68C2-49B4-9918-EBD66B8D9FBF} - C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
Suspect:
O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) (I don't know why you would need a DCOM Server, although the entry indicates no file, possibly SpySheriff)
Title: Re: Problems with a virus
Post by: chinhis13 on June 19, 2007, 06:15:53 PM
Log file by Combofix:

ComboFix 07-06-18.2 - C:\Documents and Settings\Anthony\桌面\ComboFix.exe
"Anthony" - 2007-06-19 23:12:19 - Service Pack 2  NTFS 


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\124.dll
C:\WINDOWS\19124.exe
C:\WINDOWS\227.dll
C:\WINDOWS\227.exe
C:\WINDOWS\233.exe
C:\WINDOWS\system32\1005_1016_0501_1-227.exe
C:\WINDOWS\system32\1005_1019_0501_1-233.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\msxml3a.dll


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\NPF


(((((((((((((((((((((((((   Files Created from 2007-05-19 to 2007-06-19  )))))))))))))))))))))))))))))))


2007-06-19 23:10   49,152   --a------   C:\WINDOWS\nircmd.exe
2007-06-03 03:35   4,733,788   --a------   C:\WINDOWS\SYSTEM32\dmap_01200019124.exe
2007-05-29 02:08   581,632   --a------   C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
2007-05-29 02:07   581,632   --a------   C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll
2007-05-29 02:07   0   --a------   C:\WINDOWS\resouese.dll
2007-05-29 01:28   4,096   --ahs----   C:\WINDOWS\SYSTEM32\Advpak.dll
2007-05-29 01:26   <DIR>   d--------   C:\Program Files\Autow
2007-05-26 17:39   <DIR>   d--------   C:\Program Files\peal


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 20:04:36   --------   d--h--w   C:\Program Files\WindowsUpdate
2007-05-17 11:07:24   --------   d-----w   C:\DOCUME~1\Anthony\APPLIC~1\Ulead Systems
2007-05-17 07:23:51   --------   d-----w   C:\DOCUME~1\Anthony\APPLIC~1\AdobeUM
2007-05-16 15:11:50   683,520   ----a-w   C:\WINDOWS\system32\inetcomm.dll
2007-05-12 13:19:07   --------   d-----w   C:\DOCUME~1\Anthony\APPLIC~1\Comodo
2007-05-06 09:59:51   --------   d-----w   C:\Program Files\Comodo
2007-05-06 09:38:52   --------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-05-03 16:21:12   --------   d-----w   C:\Program Files\FinalBurner
2007-05-01 16:52:38   --------   d-----w   C:\Program Files\Alwil Software
2007-05-01 12:50:48   --------   d-----w   C:\Program Files\Kaspersky Lab
2007-04-30 15:46:10   745,600   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55   85,952   ----a-w   C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42   94,552   ----a-w   C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41   23,416   ----a-w   C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51   43,176   ----a-w   C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23   26,888   ----a-w   C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28   95,872   ----a-w   C:\WINDOWS\system32\AvastSS.scr
2007-04-28 10:47:39   319,112   ----a-w   C:\WINDOWS\system32\prfh0404.dat
2007-04-28 10:47:38   107,426   ----a-w   C:\WINDOWS\system32\prfc0404.dat
2007-04-25 14:22:29   144,896   ----a-w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36   33,624   -c--a-w   C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20   43,352   -c--a-w   C:\WINDOWS\system32\wups2.dll
2007-04-11 06:44:33   1,843,200   ----a-w   C:\WINDOWS\system32\win32k.sys
2007-03-20 14:34:29   102,440   -c--a-w   C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2005-07-14 04:31:20   27,648   --sha-r   C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32:28   616,448   --sha-r   C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37:42   45,568   --sha-r   C:\WINDOWS\SYSTEM32\cygz.dll
2005-02-28 05:16:22   240,128   --sha-r   C:\WINDOWS\SYSTEM32\x.264.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 00:57 C:\WINDOWS\SYSTEM32\bthprops.cpl]
"Boostweb"="C:\PROGRA~1\BoostWEB\bwc.exe" [1999-03-08 13:50]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-02-21 22:12]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 23:42]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-05-06 19:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:47]
"MessengerPlus3"="C:\Program Files\MessengerPlus! 3\MsgPlus.exe" [2007-02-21 22:12]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2006-07-29 19:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll,


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs   BthServ
Usnsvc   usnsvc


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 23:31:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-19 23:53:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-19 23:53

   --- E O F ---
Title: Re: Problems with a virus
Post by: chinhis13 on June 19, 2007, 06:17:18 PM
Just a quick post I'm on my way out.

This is suspect no google hits, run HJT again and tick the Fix box to the left of the entry.
O2 - BHO: (no name) - {C74CDF30-68C2-49B4-9918-EBD66B8D9FBF} - C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
Suspect:
O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) (I don't know why you would need a DCOM Server, although the entry indicates no file, possibly SpySheriff)
Oh I see..
What's DCOM Server mean?

My problem state before is still here, how can I solve it? Thank you all
Title: Re: Problems with a virus
Post by: DavidR on June 19, 2007, 07:40:38 PM
Windows has a DCOM service that generally no one needs, so I can't see a need to have a dedicated DCOM Server and the DCOM functionality is one which there were many vulnerabilities which were being exploited. So it is also important to ensure your Operating System is fully up to date.

http://www.updatexp.com/dcom-windows-xp.html (http://www.updatexp.com/dcom-windows-xp.html)
http://computing-dictionary.tfd.com/DCOM (http://computing-dictionary.tfd.com/DCOM)
Title: Re: Problems with a virus
Post by: mauserme on June 20, 2007, 02:17:29 PM
I actually needed a HJT log run after ComboFix.  Could you post another HJT log for me?  :)
Title: Re: Problems with a virus
Post by: chinhis13 on June 20, 2007, 06:34:42 PM
Thanks for your help.
Title: Re: Problems with a virus
Post by: chinhis13 on June 20, 2007, 06:35:13 PM
Windows has a DCOM service that generally no one needs, so I can't see a need to have a dedicated DCOM Server and the DCOM functionality is one which there were many vulnerabilities which were being exploited. So it is also important to ensure your Operating System is fully up to date.

http://www.updatexp.com/dcom-windows-xp.html (http://www.updatexp.com/dcom-windows-xp.html)
http://computing-dictionary.tfd.com/DCOM (http://computing-dictionary.tfd.com/DCOM)

Thanks for answering
Title: Re: Problems with a virus
Post by: mauserme on June 20, 2007, 08:28:43 PM
There are a few suspicious files showing in ComboFix that have not been removed.  Please upload these to Virus Total (http://www.virustotal.com/en/indexf.html) for analysis and post the results

C:\WINDOWS\SYSTEM32\dmap_01200019124.exe
C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll
C:\WINDOWS\resouese.dll
C:\WINDOWS\SYSTEM32\Advpak.dll



Your HJT log looks OK - just some clean up.  Open HJT again and click to Run a System Scan Only.  When complete, place a check mark next to these lines:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

Next, close all windows including your browser and click Fix Checked.




This line appears to be a remant of Windows Blinds

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\

Is that program functioning correctly for you?  There seems to be a missing file.




Also, are you familiar with the sites shown in these lines?:

O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab

O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab

O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab



What is the current status of the trojan warnings?
Title: Re: Problems with a virus
Post by: chinhis13 on June 21, 2007, 07:53:07 PM
Thanks mauserme.

Here is the result(I couldn't scan resource.dll, it said it couldn't recieve a file from my computer):

C:\WINDOWS\SYSTEM32\dmap_01200019124.exe

STATUS: FINISHEDComplete scanning result of "dmap_01200019124.exe", received in VirusTotal at 06.21.2007, 19:18:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007  no virus found
Authentium 4.93.8 06.21.2007  no virus found
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  No threat detected
Fortinet 2.91.0.0 06.21.2007  no virus found
F-Prot 4.3.2.48 06.21.2007  no virus found
Ikarus T3.1.1.8 06.21.2007  no virus found
Kaspersky 4.0.2.24 06.21.2007  no virus found
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 no virus found

C:\WINDOWS\SYSTEM32\pvpkelepwc.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 Win-Trojan/Ieser.581632
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.Ieser.C.6
Authentium 4.93.8 06.21.2007 W32/Trojan.APKF
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007 W32/Ieser.C!tr.dldr
F-Prot 4.3.2.48 06.21.2007 W32/Trojan.APKF
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Ieser.c
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Delf.asz
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Ieser.c
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.09.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.Ieser.C.6

C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 Win-Trojan/Ieser.581632
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.Ieser.C.6
Authentium 4.93.8 06.21.2007 W32/Trojan.APKF
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007 W32/Ieser.C!tr.dldr
F-Prot 4.3.2.48 06.21.2007 W32/Trojan.APKF
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Ieser.c
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Delf.asz
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Ieser.c
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.Ieser.C.6

C:\WINDOWS\SYSTEM32\Advpak.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007  no virus found
AntiVir 7.4.0.34 06.21.2007  no virus found
Authentium 4.93.8 06.21.2007  no virus found
Avast 4.7.997.0 06.21.2007  no virus found
AVG 7.5.0.467 06.20.2007  no virus found
BitDefender 7.2 06.21.2007  no virus found
CAT-QuickHeal 9.00 06.21.2007  no virus found
ClamAV devel-20070416 06.21.2007  no virus found
DrWeb 4.33 06.21.2007  no virus found
eSafe 7.0.15.0 06.20.2007  no virus found
eTrust-Vet 30.8.3731 06.21.2007  no virus found
Ewido 4.0 06.21.2007  no virus found
FileAdvisor 1 06.21.2007  no virus found
Fortinet 2.91.0.0 06.21.2007  no virus found
F-Prot 4.3.2.48 06.21.2007  no virus found
F-Secure 6.70.13030.0 06.20.2007  no virus found
Ikarus T3.1.1.8 06.21.2007  no virus found
Kaspersky 4.0.2.24 06.21.2007  no virus found
McAfee 5058 06.21.2007  no virus found
Microsoft 1.2607 06.21.2007  no virus found
NOD32v2 2343 06.21.2007  no virus found
Norman 5.80.02 06.21.2007  no virus found
Panda 9.0.0.4 06.20.2007  no virus found
Sophos 4.18.0 06.21.2007  no virus found
Sunbelt 2.2.907.0 06.16.2007  no virus found
Symantec 10 06.21.2007  no virus found
TheHacker 6.1.6.136 06.20.2007  no virus found
VBA32 3.12.0.2 06.20.2007  no virus found
VirusBuster 4.3.23:9 06.21.2007  no virus found
Webwasher-Gateway 6.0.1 06.21.2007 no virus found

It seems that many hidden viruses are in my computer although I have done a virus scan by avast! home..
My computer had been repaired for so many times..coz of viruses!
Don't know whether all viruses has been deleted right now...(it runs slow)
How may I solve the problems?
Is that the HJC Log tells the suspicious files?
Really thanks, I am an idiot of computer... :(

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ ?
What's that? ???

The trojan warning problem has finally solved.
Thanks for helping. :)
Title: Re: Problems with a virus
Post by: DavidR on June 21, 2007, 08:43:59 PM
With all this malware hiding in the system folders you need to consider preventative measures.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Title: Re: Problems with a virus
Post by: mauserme on June 22, 2007, 03:27:37 AM
Hi again chinhis13.  Sorry I've been away for so long - I wasn't getting notifications that you had posted a response.

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe)  by OldTimer and save it to your desktop.

Next, double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Also, try to upload C:\WINDOWS\resouese.dll to Virus Total again (please note that the file name is a misspelling of "resource" when you're looking for it).

Quote
[It seems that many hidden viruses are in my computer although I have done a virus scan by avast! home..
My computer had been repaired for so many times..coz of viruses!
Don't know whether all viruses has been deleted right now...(it runs slow)
How may I solve the problems?
Is that the HJC Log tells the suspicious files?
Really thanks, I am an idiot of computer...

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ ?
What's that? 

I am familiar with PPSTREAM. But another(O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab), doesn't.

Is there any problem with this software(ppstream)?
I heard some from internet is that it maybe get files in the computer...


The trojan warning problem has finally solved.
Sometimes its HJT, sometimes other tools, that pinpoint the suspicious files.  In this case ComboFix was more usefull (so far).

The fact that you are no longer getting trojan warnings is a good sign - we've made some progress.  But you're not clean yet. 

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ seems to be part of a program called Windows Blinds but there is a missing file.  Do you know this program?  Is it working correctly?

I'm still researching the ppstream, etc.
Title: Re: Problems with a virus
Post by: chinhis13 on June 22, 2007, 08:24:34 AM
With all this malware hiding in the system folders you need to consider preventative measures.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can't put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.


Thanks David very much. I will try it now. :)
Title: Re: Problems with a virus
Post by: chinhis13 on June 22, 2007, 08:35:38 AM
Thanks for your help.
Title: Re: Problems with a virus
Post by: mauserme on June 22, 2007, 01:58:58 PM
Yes, those two files are gone now.

When you installed Messenger Plus there was an option to install a "sponsor program".   Do you recall if you installed both, or just Messenger Plus?
Title: Re: Problems with a virus
Post by: chinhis13 on June 22, 2007, 05:35:48 PM
Yes, those two files are gone now.

When you installed Messenger Plus there was an option to install a "sponsor program".   Do you recall if you installed both, or just Messenger Plus?

I just installed Messenger Plus without the sponsor program.
Title: Re: Problems with a virus
Post by: chinhis13 on June 22, 2007, 05:56:09 PM
Is there any protective way to protect my computer better?
(like using a set of software...AVG+Avast!/Pc Tools AntiVirus+Avast!)
Title: Re: Problems with a virus
Post by: mauserme on June 22, 2007, 06:37:18 PM
Is there any protective way to protect my computer better?
(like using a set of software...AVG+Avast!/Pc Tools AntiVirus+Avast!)
Yes:

AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
avast! + any other resident antivirus (like AVG or PC Tools) is not good as they will conflict.

For now, please download the free version of SuperAntiSpyware and do a complete system scan.  When it finishes save, then post, the log it produces

http://www.superantispyware.com/
Title: Re: Problems with a virus
Post by: Lisandro on June 23, 2007, 03:20:49 AM
AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
Another options would be a-squared and, for a second resident, Spyware Terminator.
Title: Re: Problems with a virus
Post by: chinhis13 on June 23, 2007, 09:22:56 AM
Is there any protective way to protect my computer better?
(like using a set of software...AVG+Avast!/Pc Tools AntiVirus+Avast!)
Yes:

AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
avast! + any other resident antivirus (like AVG or PC Tools) is not good as they will conflict.

For now, please download the free version of SuperAntiSpyware and do a complete system scan.  When it finishes save, then post, the log it produces

http://www.superantispyware.com/


Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/23/2007 at 02:52 PM

Application Version : 3.8.1002

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type       : Complete Scan
Total Scan Time : 01:36:59

Memory items scanned      : 515
Memory threats detected   : 0
Registry items scanned    : 5527
Registry threats detected : 0
File items scanned        : 7375
File threats detected     : 39

Adware.Tracking Cookie
   C:\Documents and Settings\Anthony\Cookies\anthony@toplist[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@realmedia[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@questionmarket[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@ehg-win2000mag.hitbox[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@tribalfusion[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@hitbox[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@overture[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@statcounter[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@msnportal.112.2o7[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@www.inmediahk[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@1072556060[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@doubleclick[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@adinterax[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@adimages.sina.com[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@2o7[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@cgi-bin[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@fastclick[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@specificclick[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@crossmedia.com[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@rambler[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@pr1.crossmedia.com[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@atwola[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@atdmt[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@serving-sys[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@adserving.cpxinteractive[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@tripod[1].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@ad.yieldmanager[2].txt
   C:\Documents and Settings\Anthony\Cookies\anthony@bs.serving-sys[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@ehg-youtube.hitbox[2].txt
   C:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@ad.yieldmanager[2].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@casalemedia[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@doubleclick[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@ehg-dig.hitbox[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@ehg-f5.hitbox[1].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@hitbox[2].txt
   C:\Documents and Settings\Carmen.KATIE\Cookies\carmen@overture[1].txt

They have been removed by SuperAnti Spyware.
Is that the free version of SuperAnti Spyware would protect my computer? Or just have the scan and update function?

Thanks.
Title: Re: Problems with a virus
Post by: chinhis13 on June 23, 2007, 09:23:18 AM
AVG AntiSpyware (not AVG AntiVirus) + avast! is a good combination
SuperAntiSpyware + avast! is also a good combination
Another options would be a-squared and, for a second resident, Spyware Terminator.

Thanks :)
Title: Re: Problems with a virus
Post by: Lisandro on June 23, 2007, 01:47:11 PM
Is that the free version of SuperAnti Spyware would protect my computer? Or just have the scan and update function? ???
It is not a resident application, the free version.
You need to update and scan on-demand.
For resident and automatic updates, use Spyware Terminator.
Title: Re: Problems with a virus
Post by: chinhis13 on June 23, 2007, 02:28:47 PM
Is that the free version of SuperAnti Spyware would protect my computer? Or just have the scan and update function? ???
It is not a resident application, the free version.
You need to update and scan on-demand.
For resident and automatic updates, use Spyware Terminator.

Thanks for answering my question.
Title: Re: Problems with a virus
Post by: mauserme on June 23, 2007, 03:48:03 PM
Things look good now, chinhis13.  If the computer is running well now we'll proceed to some final cleanup.
Title: Re: Problems with a virus
Post by: chinhis13 on June 23, 2007, 06:58:38 PM
Things look good now, chinhis13.  If the computer is running well now we'll proceed to some final cleanup.

Okay.
Title: Re: Problems with a virus
Post by: mauserme on June 23, 2007, 11:35:47 PM
I'm going to put one more step in and recommend removal of resouese.dll.  Even without a Virus Total scan it has every indication of being nasty.  It can't be uploaded, its reported as being 0 bytes, its name looks like a valid file but it isn't, there is little to nothing on google and, most importantly, it was created at the same time as pvpkelepwc.dll and mrmnxjtiyd.dll which we know were infected.

EDIT:  Right click the avast! a-icon in your system tray and click Start avast! Antivirus.  When the interface opens click the chest icon, then click User Files.  Now click File>Add, navigate to C:\WINDOWS\resouese.dll and click Open.  Finally, highlight resouese.dll, click File>Email to ALWIL Software and allow it through your firewall if asked.  Keep this copy of the file in the chest for now.

Now open OTMoveIt again and paste the following line into the List of Files/Folders to be moved  pane. Click the MoveIt button and past the results in your next response

C:\WINDOWS\resouese.dll


BTW - You need to decide now whether to keep avast! or McAfee as your antivirus.  Continuing to run both is not a good idea.

Oh, and there's that Norton stuff too ..
Title: Re: Problems with a virus
Post by: DavidR on June 24, 2007, 01:04:31 AM
I think you should send a sample to avast for analysis as possible malware before removing it.
Title: Re: Problems with a virus
Post by: polonus on June 24, 2007, 01:21:09 AM
Hi mauserme,

Will you consider this cleansing routine for this Chinese spyware infection as well. I mean it is instructive for the final cleansing routine and the rootkit connections:
http://www.geekstogo.com/forum/lofiversion/index.php/t161342.html

polonus

Click the wolf to make it howl!
Title: Re: Problems with a virus
Post by: mauserme on June 24, 2007, 02:41:37 AM
I think you should send a sample to avast for analysis as possible malware before removing it.
If you mean to submit it as undetected I agree.  But I wouldn't want to wait for it to be added to the detections as it would be difficult to predict how long that might take.


Hi mauserme,

Will you consider this cleansing routine for this Chinese spyware infection as well. I mean it is instructive for the final cleansing routine and the rootkit connections:
http://www.geekstogo.com/forum/lofiversion/index.php/t161342.html

polonus

Click the wolf to make it howl!
Hi polonus,

I had actually seen that thread when researching chinhis13's problem but, since no one has responded to mambo123 yet, I didn't take alot from it.  I mean, I think its more than coincidental that resouese.dll shows up in the 30 day list in both ComboFix logs and the deletions are much the same too.  But I'm not able to draw from another analysis as there is none in that thread.

M
Title: Re: Problems with a virus
Post by: DavidR on June 24, 2007, 03:00:49 AM
I think you should send a sample to avast for analysis as possible malware before removing it.
If you mean to submit it as undetected I agree.  But I wouldn't want to wait for it to be added to the detections as it would be difficult to predict how long that might take.

Yes send it but don't wait for action, I think it is important that we take every opportunity to send samples (no matter how long it might take) but it could be added the the User Files section of the chest so it can be monitored to see if it is eventually analysed and seen as malicious.
Title: Re: Problems with a virus
Post by: mauserme on June 24, 2007, 04:57:57 AM
I've edited my post above to include instructions for sending the file to avast!

I must say, though, I look forward to that improved submission process that's been alluded to.  An explorer extension might be nice.
Title: Re: Problems with a virus
Post by: chinhis13 on June 24, 2007, 06:45:39 AM
I'm going to put one more step in and recommend removal of resouese.dll.  Even without a Virus Total scan it has every indication of being nasty.  It can't be uploaded, its reported as being 0 bytes, its name looks like a valid file but it isn't, there is little to nothing on google and, most importantly, it was created at the same time as pvpkelepwc.dll and mrmnxjtiyd.dll which we know were infected.

EDIT:  Right click the avast! a-icon in your system tray and click Start avast! Antivirus.  When the interface opens click the chest icon, then click User Files.  Now click File>Add, navigate to C:\WINDOWS\resouese.dll and click Open.  Finally, highlight resouese.dll, click File>Email to ALWIL Software and allow it through your firewall if asked.  Keep this copy of the file in the chest for now.

Now open OTMoveIt again and paste the following line into the List of Files/Folders to be moved  pane. Click the MoveIt button and past the results in your next response

C:\WINDOWS\resouese.dll


BTW - You need to decide now whether to keep avast! or McAfee as your antivirus.  Continuing to run both is not a good idea.

Oh, and there's that Norton stuff too ..

Thanks.
Here is the result, there is an error when I click on "Move it":

LoadLibrary failed for C:\WINDOWS\resouese.dll
C:\WINDOWS\resouese.dll NOT unregistered.
C:\WINDOWS\resouese.dll moved successfully.
 
Created on 06/24/2007 12:33:02


McAfee is the antivirus provides when I bought this computer, but it had expired for a long long time.
Norton<- I had deleted this software before
Title: Re: Problems with a virus
Post by: mauserme on June 24, 2007, 07:26:26 AM
Open HJT again and click to Open the Misc Tools Section.  Then click Delete an NT Service.  Paste the following into the empty field and click OK

resouese.dll

Now open Add/Remove Programs in the Control Panel and uninstall anything related to McAfee and Symantec/Norton you find.

Reboot and post one last HJT log.
Title: Re: Problems with a virus
Post by: chinhis13 on June 24, 2007, 09:42:43 AM
Open HJT again and click to Open the Misc Tools Section.  Then click Delete an NT Service.  Paste the following into the empty field and click OK

resouese.dll

Now open Add/Remove Programs in the Control Panel and uninstall anything related to McAfee and Symantec/Norton you find.

Reboot and post one last HJT log.

There is an error, "Service resouese.dll was not found in Registry."
Title: Re: Problems with a virus
Post by: mauserme on June 24, 2007, 03:37:16 PM
OK, let's give this one more try.

Open Administrator Tools in the Control Panel and select Services.  Scroll down and see if you find a service named resouese.  If you do, double click it and stop it.  Then, in the drop down box, set it to disabled.

Then let me know how that went.
Title: Re: Problems with a virus
Post by: chinhis13 on June 24, 2007, 06:29:15 PM
OK, let's give this one more try.

Open Administrator Tools in the Control Panel and select Services.  Scroll down and see if you find a service named resouese.  If you do, double click it and stop it.  Then, in the drop down box, set it to disabled.

Then let me know how that went.

I have tried. There isn't resouese too.
Thanks mauserme.
Title: Re: Problems with a virus
Post by: mauserme on June 24, 2007, 06:47:20 PM
Thanks for checking.

If you haven't already done this uninstall the McAfee and Norton/Symantec stuff in Add/Remove Programs.  Then post a fresh JT log and we will finish things up.

Later on, if you want a secondary antivirus as a back up scanner, you can install the free version of BitDefender or ClamWin.  These are non-resident and will not conflict with avast!
Title: Re: Problems with a virus
Post by: chinhis13 on June 25, 2007, 08:19:11 AM
Thanks for checking.

If you haven't already done this uninstall the McAfee and Norton/Symantec stuff in Add/Remove Programs.  Then post a fresh JT log and we will finish things up.

Later on, if you want a secondary antivirus as a back up scanner, you can install the free version of BitDefender or ClamWin.  These are non-resident and will not conflict with avast!

I have done the uninstallation long long time ago. Is it the files discovered only the remaining? How could I delete them? Thanks.

By the way, what is JT log? Thanks
Title: Re: Problems with a virus
Post by: mauserme on June 25, 2007, 01:04:42 PM
[By the way, what is JT log? Thanks:)
Sorry - I meant to ask for a HijackThis (HJT) log.
Title: Re: Problems with a virus
Post by: chinhis13 on June 25, 2007, 01:35:57 PM
[By the way, what is JT log? Thanks:)
Sorry - I meant to ask for a HijackThis (HJT) log.

Thanks.:)
Title: Re: Problems with a virus
Post by: mauserme on June 25, 2007, 01:52:32 PM
O4 - HKLM\..\Run: [ScanRegistry] C:\W

is new and looks a bit unusual.

Open My Computer and double click the C: drive.  At the top of the window click Tool>Folder Options>View.  Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  The look in C:\ for a file named W.  If you find it upload it to Virus Total and post the results.

Have you made any changes to your computer since your last log?


EDIT:  It looks like you've installed Spyware Terminator and it may have something to do with that.

Check your log again and see if part of that line is missing.  Is the "W" the beginning of the word "windows" in a longer path?

Are you still symptom free?
Title: Re: Problems with a virus
Post by: DavidR on June 25, 2007, 02:34:23 PM
I have done the uninstallation long long time ago. Is it the files discovered only the remaining? How could I delete them?

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe)
Title: Re: Problems with a virus
Post by: chinhis13 on June 25, 2007, 04:31:34 PM
I have done the uninstallation long long time ago. Is it the files discovered only the remaining? How could I delete them?

A link worth looking at, which is a program removal tool that can remove the remnants of a number of different Norton Programs:
Removing your Norton program using SymNRT (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039)

McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe (http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe)


Thanks very mcuh.
Title: Re: Problems with a virus
Post by: chinhis13 on June 25, 2007, 04:42:39 PM
O4 - HKLM\..\Run: [ScanRegistry] C:\W

is new and looks a bit unusual.

Open My Computer and double click the C: drive.  At the top of the window click Tool>Folder Options>View.  Make sure Show Hidden Files and Folders is checked and Hide Protected Operating System Files is not checked.  The look in C:\ for a file named W.  If you find it upload it to Virus Total and post the results.

Have you made any changes to your computer since your last log?


EDIT:  It looks like you've installed Spyware Terminator and it may have something to do with that.

Check your log again and see if part of that line is missing.  Is the "W" the beginning of the word "windows" in a longer path?

Are you still symptom free?

Yes, I have installed Spyware Terminatior.
There is no file named W and nothing changes with my last log.
Title: Re: Problems with a virus
Post by: DavidR on June 25, 2007, 06:02:00 PM
Without putting words in mauserme's mouth, but no occurrence of any of the problems when you first had the infection problem, no symptoms related to the infection.
Title: Re: Problems with a virus
Post by: mauserme on June 25, 2007, 08:45:42 PM
Without putting words in mauserme's mouth, but no occurrence of any of the problems when you first had the infection problem, no symptoms related to the infection.
Yes, that's exactly what I meant.  Are there any Trojan alerts or other signs of malware now?

Let's do this.  Open HijackThis and click to Do A System Scan Only.  When complete place a check mark next to these lines

O20 - AppInit_DLLs: wbsys.dll,

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe


The following two lines are missing from your most recent HJT log but were present in the log you posted 22 June.  They should still be present since this is where the McAfee processes (Network Associates in your current log) are loading from.  If you're sure you've uninstalled all McAfee products and you can find these lines in HJT place a check mark next to them as well

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey

O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe



After placing the check marks close all other windows, including your browser, and click the button labeled Fix Checked.  Then post a fresh HJT log so we can make sure these things are gone.

Title: Re: Problems with a virus
Post by: DavidR on June 25, 2007, 08:52:32 PM
I gave chinhis13 an uninstall tool link for McAfee, perhaps that has been run and removed the redundant entries ???
Title: Re: Problems with a virus
Post by: mauserme on June 25, 2007, 08:56:24 PM
I'm not sure.  The 2 Network Associates entires under running processes is McAfee but I can't see where it loads anymore.  I think the log might be incomplete.
Title: Re: Problems with a virus
Post by: essexboy on June 25, 2007, 10:45:53 PM
The 04 needs to go and use OTMoveit to kill it
Title: Re: Problems with a virus
Post by: mauserme on June 25, 2007, 11:57:28 PM
I had planned on doing just that if the next HJT log doesn't add any information to that line.  I'm wondering if anything got lost in the copy/paste process, so I wanted a new log first. 
Title: Re: Problems with a virus
Post by: chinhis13 on June 26, 2007, 08:54:24 AM
Thanks.
Title: Re: Problems with a virus
Post by: mauserme on June 26, 2007, 01:36:54 PM
Quote
There is still the 023 McAfee Framework Service although I had uninstalled it and click the fixed check button.
But it seems no function, could we ignore it?
We could but it would be better to make it go away.

Open the Misc Tools section in HijackThis and click the button labled Delete and NT Service.  Paste the following in the field and click OK

McAfeeFramework


Did you fix this 04 essexboy and I were discussing or has it dissappeared

O4 - HKLM\..\Run: [ScanRegistry] C:\W
Title: Re: Problems with a virus
Post by: chinhis13 on June 26, 2007, 05:44:37 PM
Quote
There is still the 023 McAfee Framework Service although I had uninstalled it and click the fixed check button.
But it seems no function, could we ignore it?
We could but it would be better to make it go away.

Open the Misc Tools section in HijackThis and click the button labled Delete and NT Service.  Paste the following in the field and click OK

McAfeeFramework


Did you fix this 04 essexboy and I were discussing or has it dissappeared

O4 - HKLM\..\Run: [ScanRegistry] C:\W

When I did a scan with Spyware Terminater, it detected and told me that it is invaild, I have it removed.
Title: Re: Problems with a virus
Post by: mauserme on June 26, 2007, 07:09:00 PM
Just to play it safe, open OTMoveIt again and copy this path into the list of files/folders to be moved

C:\W

Click the red Moveit button and paste the results in your next respsonse.

Title: Re: Problems with a virus
Post by: chinhis13 on June 27, 2007, 08:05:08 AM
Just to play it safe, open OTMoveIt again and copy this path into the list of files/folders to be moved

C:\W

Click the red Moveit button and paste the results in your next respsonse.



File/Folder C:\W not found.
 
Created on 06/27/2007 14:04:58
Title: Re: Problems with a virus
Post by: mauserme on June 27, 2007, 01:30:54 PM
Good - we're done.

Open OTMoveIt again and click the Clean Up button.  If your firewall warns you that OTMoveIt is trying to connect to the internet allow the connection.  Then when asked if you want to proceed with the cleanup, press Yes.  This will remove the tools we downloaded and the malware backups.

Next, we will remove old possibly infected restore points and create a clean restore point:

Click Start > All Programs > Accessories > System Tools > System Restore.  Fill the radio button to Create a Restore Point and click Next.  Give the new restore point a name you will recognize if you need to find it (like Clean Point) and click Create.

Now, click Start > All Programs > Accessories > System Tools > Disk Cleanup.  Now click the More Options tab, then click Clean Up in the System Restore section and OK.

Keep SuperAntiSpyware and AVG Antispyware on your computer and scan with them from time to time.  This will help keep you clean.  Spyware Blaster is also a good, passive defense against malware

http://www.javacoolsoftware.com/spywareblaster.html

This is a good time to install it while the computer is clean.


 
Title: Re: Problems with a virus
Post by: chinhis13 on June 27, 2007, 07:36:16 PM
Good - we're done.

Open OTMoveIt again and click the Clean Up button.  If your firewall warns you that OTMoveIt is trying to connect to the internet allow the connection.  Then when asked if you want to proceed with the cleanup, press Yes.  This will remove the tools we downloaded and the malware backups.

Next, we will remove old possibly infected restore points and create a clean restore point:

Click Start > All Programs > Accessories > System Tools > System Restore.  Fill the radio button to Create a Restore Point and click Next.  Give the new restore point a name you will recognize if you need to find it (like Clean Point) and click Create.

Now, click Start > All Programs > Accessories > System Tools > Disk Cleanup.  Now click the More Options tab, then click Clean Up in the System Restore section and OK.

Keep SuperAntiSpyware and AVG Antispyware on your computer and scan with them from time to time.  This will help keep you clean.  Spyware Blaster is also a good, passive defense against malware

http://www.javacoolsoftware.com/spywareblaster.html

This is a good time to install it while the computer is clean.


 

Big thanks to mauserme.
Which will be better to use? I am using Spyware Terminator.
If I download spywareblaster, would it affect?
Title: Re: Problems with a virus
Post by: DavidR on June 27, 2007, 07:54:06 PM
SpywareBlaster is passive so it won't conflict with either avast or SpywareTerminator (ST) or SuperAntiSpyware (SAS) or AVG-AS.

The only consideration is not to have two resident anti-spyware applications installed at the same time. AVG-AS is resident during your 30 trial period, but reverts to on-demand (or can be set to on-demand to avoid conflict). SAS free I believe is on-demand only so it shouldn't be a problem with ST.
Title: Re: Problems with a virus
Post by: chinhis13 on June 27, 2007, 09:01:59 PM
SpywareBlaster is passive so it won't conflict with either avast or SpywareTerminator (ST) or SuperAntiSpyware (SAS) or AVG-AS.

The only consideration is not to have two resident anti-spyware applications installed at the same time. AVG-AS is resident during your 30 trial period, but reverts to on-demand (or can be set to on-demand to avoid conflict). SAS free I believe is on-demand only so it shouldn't be a problem with ST.

Thanks.
Title: Re: Problems with a virus
Post by: DavidR on June 27, 2007, 10:10:17 PM
Your welcome.
Title: Re: Problems with a virus
Post by: mauserme on June 28, 2007, 02:08:46 PM
You're welcome, too, chinhis13  :)

David explained the antispyware part better than I could have ...