4 Trojan virus, help me please ? [cleaned, thanks a lot essexboy and all of you]

[ekhart]

Hello, world, and thanks for taking time to read this =)

For 3 days, now avast! detected 4 Trojan in a file named MMS Assist. In my opinion, I should delete the whole file but for some reason, I can't. The program says that it's already used by something else and even when I re-start the computer to scann it, the file isn't deleted.
Here is what avast! says :

Sign of "Win32:Adware-gen.

[Adw]" has been found in "C:\PROGRA~1\MMSASS~1\mmsass~1.dll" file. 
Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Program Files\MMSAssist\mmssver.dll" file. 
Sign of "Win32:Adware-gen. [Adw]" has been found in "C:\Program Files\MMSAssist\mmsass~1.dll" file. 
Sign of "Win32:Trojan-gen. {Other}" has been found in "C:\Program Files\MMSAssist\albus.dll" file.  [/list]

I localised the file already but didn't open yet, what should I do, please ?

[DavidR]

Don't rush, read the whole post before taking any action.

Windows in its infinite wisdom protects files in use (even malware) or in system folders, so it is likely that avast! can't delete or move files in use. So schedule boot-time scan in avast's menu if you have XP, win2k or NT, otherwise boot into safe mode and run an avast scan. This should ensure that the file isn't in use and avast should be able to deal with it.

Deletion isn't really a good first option (you have none left), 'first do no harm' don't delete, send virus to the chest and investigate.

There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.

This does seem to be adware/malware as a google search for MMSAssist http://www.google.co.uk/search?q=MMSAssist returns many hits, as do searches for the associated file names.

If you are unable to move them to the chest in normal windows use then use the boot-time scan mentioned above. Still choose the option to move to the chest rather than delete.

[essexboy]

You have the Borlan Trojan this inludes a rootkit element.  Currently the only removal method I know for this is Prevx
http://www.prevx.com/

If you wish I can take you through the cleaning of this Nasty (I am currently an upperclassman at Geek U )

[ekhart]

You have to know, DavidR, that I already looked on google to see what or who could help. And I came here in last ressort.

Thanks a lot essexboy, I accept your help with all my gratitude. Prevx localised all the files and "moved them to  safety except " C:\Program Files\MMSAssist\mmsass~1.dll " which is not moved but not allowed to run either.

Do you want me to send you my e-mail or will you help me from here ?

[Lisandro]

For 3 days, now avast! detected 4 Trojan in a file named MMS Assist. In my opinion, I should delete the whole file but for some reason, I can't. The program says that it's already used by something else and even when I re-start the computer to scann it, the file isn't deleted.

Did you try to scan at boot time or just restart the computer?
I suggest that you run a boot time scanning with avast: Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

It won't harm if:

1) Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
    Then after step four, enable it again.
2) Clean your temporary files.
3) Use a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

[essexboy]

Hi Ekhart
Do it from here, I am currently working on a similar problem at geek U so I can run you in tandem

Could you please post a HJT log for my perusal,  Borlan is nasty and hard to get rid off but it can be done 

[essexboy]

Off out now for a few hours but should be back by this evening

[FreewheelinFrank]

Hi essexboy,

For future reference, can Borlan still be removed by disabling the rootkit service as described here:

http://www.symantec.com/security_response/writeup.jsp?docid=2005-112111-0409-99&tabid=3

[ekhart]

Did you try to scan at boot time or just restart the computer?
I suggest that you run a boot time scanning with avast: Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.

More than 3 times already.

Hi, Essexboy,

I had to search a bit to see what you meant -as I'm not a natural English speaker, it's difficult to understand professional linguage- but here it is:

Holding cell :

C:\WINDOWS\SYSTEM32\ALSMT.EXE
C:\PROGRA~1\MMSASS~1\MMSASS~1.DLL
C:\PROGRAM FILES\MMSASS~1\MMSASS~1.DLL

Jail :

C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGGCENGINE.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGCENGINE.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGIEPROCESS.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\EGNSENGINE.DLL
C:\PROGRAM FILES\ERROR SAFE FREE\EMPTYERSF.EXE
C:\DOCUMENTS AND SETTINGS\MICHELLE\LOCAL SETTINGS\TEMP\ERRORSAFESCANNERSETUP.EXE
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GAPPMGR.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\GMT\GATORSTUBSETUP.EXE
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GMTPROXY.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GMTPROXY.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GSTORE.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GSTORESERVER.DLL
C:\PROGRAM FILES\FICHIERS COMMUNS\CMEII\GTOOLS.DLL
C:\DOCUMENTS AND SETTINGS\LEILA\LOCAL SETTINGS\TEMP\INSTALLBO-FSG.EXE
C:\DOCUMENTS AND SETTINGS\LEILA\LOCAL SETTINGS\TEMP\INSTALLMNL-FSG.EXE
C:\PROGRAM FILES\MIDNIGHT LAKE SCREENSAVER\MIDNIGHTLAKE.EXE
C:\PROGRAM FILES\MIDNIGHT LAKE SCREENSAVER\ML1UNINSTALLER.EXE
C:\WINDOWS\SYSTEM32\UNINSTALLMNL.EXE

[Lisandro]

More than 3 times already.

And what about:
1) Disabling System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;310405
2) Cleanning your temporary files.
3) Using a-squared, Free AVG Antispyware, SUPERantispyware or Spyware Terminator (trojan removers).

[SNOWHITE]

Could you please post a HJT log for my perusal,  Borlan is nasty and hard to get rid off but it can be done   

Hi ekhart 
Please follow the instructions from essexboy about posting HJT, he will help you but first you will need to post Hijackthis log. Click on this link http://www.thespykiller.co.uk/html/downloads.html and download "Hijackthis" Self installer, then Run HJT and click "Do a system scan and save a log file" when the scan will be finished copy and paste the content of the report to this thread. Do Not Fix anything with HJT !

[essexboy]

Hello Snowhite, thanks for that I forgot to put it in 

For future reference, can Borlan still be removed by disabling the rootkit service as described here:

FF the other system I was working on Borlan defeated Gmer, and Sophos anti-rootkit tools and at one stage I was pulling my hair out in frustration as it even defeated Prevx. But he is clean now as currently Icesword and one other tool I have in reserve can beat it.  Anyway back on track, I always do the cleanup when I am sure my client is clean and not before.

Ekhart when you get the HJT log please post it here and I will see what is remaining.  No problem with the language as if neither us is sure we can always ask 

[ekhart]

Allright, I'm sorry to be the cause of so much troubles... Thanks a lot Snowhite, and here it the stuff :

Logfile of HijackThis v1.99.1
Scan saved at 20:08:54, on 04/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
C:\Program Files\Prevx1\PXAgent.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
C:\Program Files\Prevx1\PXConsole.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Leïla Chihab\Bureau\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://haschishin.livejournal.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\fr\msntb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [FSASWREG] "C:\Program Files\Securitoo\Av_Fw\Anti-Spyware\fsaswreg.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Fichiers communs\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Fichiers communs\AOL\1154804588\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Fichiers communs\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [PrevxOne] "C:\Program Files\Prevx1\PXConsole.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.0.lnk = C:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Fichiers communs\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item:   >> ²ÊÐÅ·¢ËÍ << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O8 - Extra context menu item: Télécharger avec FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Télécharger tout avec FlashGet - C:\Program Files\FlashGet\jc_all.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Console Java (Sun) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ¿áÈÈÓ°Òô - {7D73FF86-05F1-39ed-C850-A423120EC338} - www.kuree.com/index.htm?id=00011001 (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: webwork - {4C611512-2C1D-44b2-A044-872AD2AD5A61} - C:\WINDOWS\webwork\webwork.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Fichiers communs\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Fichiers communs\LightScribe\LSSrvc.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe" -f (file missing)

[essexboy]

Looking now

[essexboy]

Close to good, for this I will need you to disable Prevx.  To do this right click the GREEN ball in your system tray and select exit.  Say ok to the warning then :

RePlease re-open HiJackThis and scan.  Check the boxes next to all the entries listed below.

O9 - Extra button: ¿áÈÈÓ°Òô - {7D73FF86-05F1-39ed-C850-A423120EC338} - www.kuree.com/index.htm?id=00011001 (file missing)
O8 - Extra context menu item:   >> ²ÊÐÅ·¢ËÍ << - res://C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
O8 - Extra context menu item: >>²ÊÐÅ·¢ËÍ<< - res://C:\PROGRA~1\MMSASS~1\mmsass~1.dll/mms.htm
O2 - BHO: Vision - {6671A431-5C3D-463d-A7CF-5587F9B7E191} - C:\PROGRA~1\MMSASS~1\mmsass~1.dll


Now close all windows other than HiJackThis, then click Fix Checked.  Close HiJackThis.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
  
• Please double-click Killbox.exe to run it.
  
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\PROGRA~1\MMSASS~1\Mmsass~1.dll/mms.htm
  
  
  
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
  
• Click the red-and-white Delete File button.  Click Yes at the Delete on Reboot prompt.  Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please repost a new HJT when complete and I will re-assess