Win32:Trojan-gen. {VC}.... Won't react to it***Still have probs***

[jonas3333]

Hi There.  Just got notice of this virus tonight and cannot seem to do anything with it.  Well Avast doesn't do anything with it anyway - it won't move to chest,repair, etc...I've been looking about and I see that I'm not the only one who has gotten this type lately - but I also get the feeling that  "trojen-gen. {VC} is something of a generic term am I right???

The file name where it is found is:  C:\WINDOWS\system32\??mbols\dexplore.exe

I am presuming that ??mbols  to be the "symbols" file but I really don't know much about this sort of thing as I'm sure is clear.
Panda Scan didn't detect a virus but it did detect about 118 spywares/adwares which I have yet to address.

VPS version: 0603-0, 01/15/2006 - so that should be up-to-date

Here is my Hijack this! logfile:

unning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\oslr\nsnt.exe
C:\WINDOWS\system32\??mbols\dexplore.exe(addedcolor - is this the culprit???)
C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Valued Customer\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [Aann] "C:\Program Files\oslr\nsnt.exe" -vt wnew
O4 - HKCU\..\Run: [Ixmt] C:\WINDOWS\system32\??mbols\dexplore.exe
O4 - Startup: Sid Registration.lnk = D:\ATR1.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RaConfig2500.lnk = C:\Program Files\RALINK\RT2500 Wireless LAN Card\Installer\WINXP\RaConfig2500.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123201254546
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134199290718
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Curious as to how I obtained this as the recent dl-ing actions of this computer is something from I tunes.  However, it is also networked with another computer by wireless router and while Panda scan DID find a coupla small trojans(yay!) on that one they were fixed and did not affect the apparant trojan that this computer picked up.  The other computer was playin around a little on Limewire today.  Well - that's all I got... please lemme know thanks!

[jonas3333]

Upon re-scanning for the fifth or so time - Avast MAY have placed this issue into the chest - for after continuing the scan, there is now a coupla happy bells and the threat is listed on a new page/pad of sorts which appears to be the chest. sigh - this is rough - me first unresolved virus....

And yet it continues to detect this virus upon scanning.

it is not from the Pandascan btw if curious I noticed that as a possibility before doing the Panda scan.

*added*  Upon rescanning - apparantly that page stated above only refers to recent activity discovered and I don't think it was put into a chest after all
Oh! and I ran 1.06 AdAware and it removed 40 files which is far less than the 118 the Panda Scan found...

[Spiritsongs]

   Hi Jonas :

     I noticed from your HJT log that your Sun Java is 5 updates
     behind; it's recommended on many antiSPYWARE forums
    to REMOVE ( uninstall, etc ) ALL outdated versions of this
    program, then go to : www.java.com & get their latest
    ( " Update " ).
    Since you have Ad-Aware, you should consider posting an
    "inquiry" at www.landzdown.com ; this forum is staffed by
     ALL the Experts who used to advise on the now-defunct
     Lavasoft Ad-Aware Support forums. They would know
     about that entry .

[igor]

To remove malware with this kind of filenames (displayed as question marks), I'd suggest to use the avast! boot-time scanner.

[jonas3333]

igor !!

Thank you very much - The boot scan did the trick and all is good again.  Well never actually had "bad" things happen - but now they are staved off once again!  I'll keep this aspect of filenames in mind.

Spiritsongs:  Thanks for the advice!! -   Still unclear on how to remove the previous versions of the Java you are referring to as it is not listed in programs.. I shall by all means address this issue though!

Thanks again - don't viruses just suck?

Jonas3333

[jonas3333]

Ahh - it appears I was a little hasty in saying all is good.     The boot scan DOES make a difference until I reboot the computer - then it's right back.


When the virus is located in the boot scan, it says that the infected file is in System Volume Information\-restore followed by a lot of alphas and numerics that I'd rather not type out but will if I must

I moved that virus into the chest via the boot scan as was previously recommended by the program.  Perhaps I should have tried to repair/delete 

Or I've seen stuff around here regarding deletion of previous system restores... is that my next step??

Sorry to ask again for your help and thank you for your time.

[jonas3333]

Well, still hoping for a response on this. 
everything seemed fine after placing that System information file into the chest and we haven't gotten the virus alert since but now, that internet connection will not connect - we have tried system restore and uninstalling the network card/reinstalling - (which we don't fully understand and were lucky to have personal help with before) but the computer will not connect to the internet via the network - It's using a Ralink wireless card. 
 Did the virus corrupt that card's info?
Should we just take it in somewhere??
Truly lost now .

[Spiritsongs]

   Hi Jonas :

     It sounds like you should make that "visit" to
     www.landzdown.com  that I suggested earlier !?
     And there is no "J2SE Runtime Environment 5.0 Update 1"
     listed in the "Add/Remove Programs" section of your
     computer !?
     And if you have lost your internet connection, you somehow
     should get, then use, "Winsockfix" from :
     www.spychecker.com/program/winsockxpfix.html