UPX - Temp - Trojan - Avast

[mauserme]

@vbs

I notice you've also sought advice on this problem at the LandzDown Forum and that's perfectly fine. 

But please don't try to combine the advice given here with the advice given there - doing so could lead to unproductive and possibly harmful results since we are not able to give you a co-ordinated effort.  For example, when they told you to delete smss.exe using killbox you got an error because you had already deleted it via my method.  My goal, and theirs, is to fix the problem not create larger problems.

http://www.landzdown.com/index.php?PHPSESSID=e8cb1871c6ac24f05dc52ad92883c212&topic=13235.0



@ Spritsongs

Your constant ambulance chasing is inefficient, unproductive, and potentially damaging.  You profess a desire to help people yet your own agenda always finds its way ahead of their well being.

I implore you , if you want to help then help.  You have the knowledge and ability.  But recognize that always telling people to go elsewhere is the opposite of help.

[vbs]

Hi again mauserme.

Before your and landzdown help, i deleted smss.exe manually.
Now i am not sure that i'm be able to fix the problem.
But after deleting with shift + delete (C.\Windows\System\smss.exe) i didn't get avast warning.
Everything seems good for now.

What can i do now for to be sure that the trojan gone?

[mauserme]

Before your and landzdown help, i deleted smss.exe manually.
Everything seems good for now.

Hi vbs,

No problem - smss.exe needed to go so you should be fine.  The lack of warnings is a good sign.
 
You still should install a third party firewall and update windows.  And you should scan with a-Squared and SuperAntispyware.

That question you were asked at LandzDown (and would have eventually been asked here too) about

O17 - HKLM\System\CCS\Services\Tcpip\..\{3D76DC7E-3561-430F-8851-B0927F2E57B8}: NameServer = 192.168.0.1

needs to be resolved.  Do you recognize it? 

Also let me know if you ever fixed

O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

with HijackThis.  Its been recommended on both forums but you haven't indicated whether its done.

And most importantly, keep us updated as to what steps you're taking.  Surprises aren't good when trying to figure these things out.

[DavidR]

The 017 entry seems strange to me also as the 192.168.0.1 is usually your router's IP address (I assume you have a router) and legitimate 017 IP entries usually point to your ISP's IP. Pointing to your router wouldn't allow access to the ISP IP, weird ?

[mauserme]

Possibly a router or modem depending on the configuration.

If there are no connectivity problems and the computer appears malware free I'm inclined to say leave it alone for now.

[vbs]

I have a router yes it's right.
192.168.0.1 is my routers IP.

When i search with HiJack there's no smss.exe found.

So everything is ok for now i think?
Am i right?

Really thank you all.

[mauserme]

Its looking good and if you're satisfied with that so be it.

But I would still run the extra scans I mentioned to double check, then post one last HJT log.  And for sure fix the 04 entry and get the firewall and updates.  Its up to you.

[Queen of losers]

Hi,
I'm having exactly the porblem as vbs. I use XP Pro. My firewall is ZoneAlarm. I had shut it down for about an hour, I think that's when I got infected though I'm not sure how. Below is my Hijackthis log. I would really appreciate your insights before doing anything on my own.

Logfile of HijackThis v1.99.1
Scan saved at 18:53:19, on 27.12.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\GamePark\gameparkclient_en.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\hjt\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://update.zonelabs.com/downloadrequest?updtConfId=4&updtReqId=828709123
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.ttnet.net.tr:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Bağlantılar
O2 - BHO: DownloadRedirect Class - {00000000-6CB0-410C-8C3D-8FA8D2011D0A} - C:\Program Files\iMesh\iMesh5\iMeshBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Daemon14] C:\PROGRA~1\MI948F~1\GAMECO~1\STRATE~1\daemon14.exe
O4 - HKLM\..\Run: [U.S. Robotics Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Registration Prince of Persia Warrior Within.LNK = C:\Program Files\Ubisoft\Prince of Persia Warrior Within\Support\Register\RegistrationReminder.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: ATI CATALYST Sistem Tepsisi.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O15 - Trusted Zone: http://www.***.com
O15 - Trusted Zone: http://www.***.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - http://www.ntvmsnbc.com/download/nm1228.cab
O16 - DPF: {2FF18E30-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.02) - http://www.ntvmsnbc.com/download/nm0321.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zone.msn.com/binary/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{675E63BA-D9CA-4D8A-ABB4-866691398B00}: NameServer = 62.248.102.190,195.175.37.14
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: U.S. Robotics Wireless LAN Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

---

Thank you really very much for your attention. I look forward to receiving your comments.

By the way, I have run a full scan with AdAware, and it didn't come up with the solution either.

[mauserme]

Welcome to the forum QoL.  Sorry for the delay - I was away for a few days.

My advice regarding C:\WINDOWS\system\smss.exe is the same for you.  Copy the file to CD and delete it (in safe mode if necessary) making sure you do not delete the file with the same name in the System32 folder.

Also fix this line with HijackThis

 O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

Your Trusted Zone has been set to an insecure level and the lines

O15 - Trusted Zone: http://www.***.com

can be fixed unless you have a specific purpose for this (there are two lines that read the same).

Your version of java is a little old and should be updated

http://www.java.com/en/download/manual.jsp

Make sure you uninstall the old version after installing the new.

This line

O17 - HKLM\System\CCS\Services\Tcpip\..\{675E63BA-D9CA-4D8A-ABB4-866691398B00}: NameServer = 62.248.102.190,195.175.37.14

needs your attention.  Do you recognize the addresses?  They are registered to Turk Telekom which may be your ISP.

You also need to decide if you want Download Accelerator Plus and IMesh on your computer.  The free versions of the programs are a source of adware and spyware but if you want the programs and are willing to accept the risks then leave them alone.

[Lisandro]

O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

Strange, the owner is Alwil Software 

O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)

Ignore any references to 023 entries for avast, this is a bug in the HJT 1.99.1. Hijackthis is searching for 'C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service' (including double quotes and '/service' parameter) as a file, this causes 'file missing', because only present is 'C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe'.

[Queen of losers]

Welcome to the forum QoL.  Sorry for the delay - I was away for a few days.

My advice regarding C:\WINDOWS\system\smss.exe is the same for you.  Copy the file to CD and delete it (in safe mode if necessary) making sure you do not delete the file with the same name in the System32 folder.

Also fix this line with HijackThis

 O4 - HKLM\..\Run: [.nvsvc] C:\WINDOWS\system\smss.exe /w

I have done these and the Avast alert for trojan has stopped, thank you:)

Your Trusted Zone has been set to an insecure level and the lines

O15 - Trusted Zone: http://www.***.com

can be fixed unless you have a specific purpose for this (there are two lines that read the same).

I didn't want the addresses to be exposed on the internet, so I put the "***" instead of the real url's.

Your version of java is a little old and should be updated

http://www.java.com/en/download/manual.jsp

Make sure you uninstall the old version after installing the new.

I am currently installing  the Java Runtime Environment Update 10. After finishing that installation am I supposed to uninstall the J2SE Runtime Environment 5.0 Update 2 (117 MB), J2SE Runtime Environment 5.0 Update 4 (118 MB), J2SE Runtime Environment 5.0 Update 6 (119 MB) that I see on the Add/Remove programs in Control panel? 

This line

O17 - HKLM\System\CCS\Services\Tcpip\..\{675E63BA-D9CA-4D8A-ABB4-866691398B00}: NameServer = 62.248.102.190,195.175.37.14

needs your attention.  Do you recognize the addresses?  They are registered to Turk Telekom which may be your ISP.

My ISP is Turk Telekom, yes, does that mean that I need not pay attention to that line? Or should I investigate further?

You also need to decide if you want Download Accelerator Plus and IMesh on your computer.  The free versions of the programs are a source of adware and spyware but if you want the programs and are willing to accept the risks then leave them alone.

I'll take your advise regarding these programs as well.

Thank you very much for all the time and effort you spent in helping me. They have been invaluable really..

[mauserme]

I didn't want the addresses to be exposed on the internet, so I put the "***" instead of the real url's.

OK.  No problem.

After finishing that installation am I supposed to uninstall the J2SE Runtime Environment 5.0 Update 2 (117 MB), J2SE Runtime Environment 5.0 Update 4 (118 MB), J2SE Runtime Environment 5.0 Update 6 (119 MB) that I see on the Add/Remove programs in Control panel?

Yes, uninstall all versions older than Update 10.

My ISP is Turk Telekom, yes, does that mean that I need not pay attention to that line? Or should I investigate further?

As long as you can confirm that this is your ISP there's no need to do anything further.

I'll take your advise regarding these programs as well.

If you're uninstalling these try add/remove programs first.  After unistalling DAP look for any remnants in C:\Program Files\DAP and C:\Program Files\SideFind.  Delete these manually if found.  With iMesh make sure you uninstall both iMesh 5 and iMesh Bar.  Delete your temp files and do a light registry cleaning afterward.  CCleaner should be sufficeint for this

http://www.ccleaner.com/

If you're installing CCleaner for the first time make sure to un-check the Yahoo Toolbar option since you probably don't want this.

And your welcome for the help.  Come back often.

[Queen of losers]

Although this may not be the right place to ask, I'll take a chance.

I have installed and used cccleaner a few weeks ago, but I think I made a mistake somewhere. I can't use any run commands any more (like msconfig), Windows gives error "cannot be found" or something similar. How can I solve that issue? Should I use the Windows Xp CD for repair function?

[mauserme]

I would be surprised if CCleaner caused this but you could try restoring the registry back up (assuming you created one) to see if this helps.

Otherwise your idea sounds like its worth a try.