Problems with TROJANS that are hard to get rid of...

[KLM]

Well, hello, i am posting 'cause a problem with 3 trojans and the pops-up of several interne pages (of music, errorsafe software and antivirus software). The trojans are:
Win32:Dialer-988
win32:Agent-HZS
win32:VBStat-C

With Avast i was able to detect and to send them to the chest but every time i start the computer, the resilent protection shows the alerts for the same trojans i just dealed with!!

Mauserme, i tryed to copy the results of "hijackthis" in this post but i couldn't because there is a limit of 1000 characters... should i try to send it to you in a personal messaje? or what should i do?.. thanks again

[KLM]

These are the results of "hijckthis" scaner:

Logfile of HijackThis v1.99.1
Scan saved at 01:08:31 p.m., on 29/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Archivos de programa\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\Archivos de programa\Winamp\winampa.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Messenger\msmsgs.exe
C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\uaknyolm.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7Debug\mdm.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe
C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\ARCHIV~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Archivos de programa\Hijackthis\HijackThis.exe
C:\Archivos de programa\Alwil Software\Avast4\ashSimpl.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O3 - Toolbar: PDF de Adobe - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Archivos de programa\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Archivos de programa\Archivos comunes\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Archivos de programa\Winamp\winampa.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Archivos de programa\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\kxvouybm.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Archivos de programa\Archivos comunes\Ahead\Lib\NMBgMonitor.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Inicio rápido de Adobe Acrobat.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convertir a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir destino de vínculo en archivo PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir selección a archivo PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convertir selección a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF de Adobe - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convertir vínculos seleccionados a PDF existente - res://C:\Archivos de programa\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182137518248
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182192437437
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Archivos de programa\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService -   - C:\WINDOWS\system32\uaknyolm.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Archivos de programa\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: NBService - Nero AG - C:\Archivos de programa\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Archivos de programa\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[KLM]

Jeje, finaly i was able to post the hijackthis scaner results....

[FreewheelinFrank]

Hi KLM,

Three suspicious entries:

C:\WINDOWS\system32\uaknyolm.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\kxvouybm.dll",realset
O23 - Service: DomainService - - C:\WINDOWS\system32\uaknyolm.exe

And some adware:

O4 - Startup: PowerReg Scheduler.exe

Upload the suspicious files to VirusTotal for analysis (enable view hidden & system files first).

Have you tried the usual adware/spyware/Trojan removers?

DrWeb CureIT!
AVG Anti-Spyware Free (Requires Win2k/XP)
Ad-Aware Free
Spybot Search & Destroy
SUPERAntiSpyware Free

In the case of stubborn malware, check for rootkits:

Panda Antirootkit
Blacklight
AVG Anti-Rootkit

[KLM]

FreewheelinFrank, thank for your advise... I tryed to send the archives by mail but the mail system doesn´t allow me to send them because their are infected... so I used the antivirus avast to scan the file "system32" but the results aren't satisfactory...they say there are no virus.... and right now i am trying to download the antispyware you recommended me...
 

[KLM]

Ok, i found out how to scan those archives in "virustotal"...the results say that es a trojan (and avast can't detect it...snifff...). Now i am going to try the antispyware...

[DavidR]

Ensure you send the sample/s to virus@avast.com zipped and password protected with password in email body and false positive/undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

[KLM]

Uhh... that is going to be dificult DavidR... after instaling the antispyware all those archives were moved to quarentine... should i restore and send them to avast as you said?...

[DavidR]

I would say Yes open the chest, add them to the User Files section of the avast chest and send them from there.

Once toy have added it to the chest (where it can do no harm), then delete the file in the location you restored it too as it still exists after adding it to the chest.

[KLM]

Well, ready, I did it. I send the messaje to avast through the avast chest; but the problem is that i couldn´t add an .exe that was identified by the antispyware (avg-antispyware7.5) as a high risk trojan. It says that the location is

C:\System Volume Information\_restore{3CE6A2C2-82B8-4FE8-8902-A9CA6876B112}\RP39\A0005621.exe

but i first configure the files to see the ocult files and in spite of that i can't find that location.... can you help me once again DavidR?

[KLM]

And I have another question (i don't know much about programing): WHAT DOES "HIJACKTHIS" DOES TO MY SYSTEM? and what does the results means?

I appreciate your help.

[mauserme]

Mauserme, i tryed to copy the results of "hijackthis" in this post but i couldn't because there is a limit of 1000 characters... should i try to send it to you in a personal messaje? or what should i do?.. thanks again

I'm glad you decided to post this in the public forum, KLM.  You're in good hands right now.

You don't need to try to upload the System Volume detection - the file will be too large.  That is one of your system restore points and any malware that might have been saved there will not harm you as long as you don't restore your computer to a previous point.

Please post the full file name with path of the trojans so FwFrank and DavidR can have a better look at what they're dealing with.  The file name and path will look something like C:\windows\file.mal

And I have another question (i don't know much about programing): WHAT DOES "HIJACKTHIS" DOES TO MY SYSTEM? and what does the results means?

When you run a scan, HJT enumerates various processes being run on your computer and lists the registry entires that load those processes.  It doesn't actually make any changes on its own.  At this point its just an analysis tool.

Later, if you are asked to "fix" some of the lines this will remove them form the registry and the associated files can then be deleted.

[Lisandro]

should i restore and send them to avast as you said?...

If the files aren't on avast Chest but on antispyware tool ones, can you extract them to another folder than the original one? If you can, maybe it will be safer and you'll help avast to improve detection.

[DavidR]

Well, ready, I did it. I send the messaje to avast through the avast chest; but the problem is that i couldn´t add an .exe that was identified by the antispyware (avg-antispyware7.5) as a high risk trojan. It says that the location is

C:\System Volume Information\_restore{3CE6A2C2-82B8-4FE8-8902-A9CA6876B112}\RP39\A0005621.exe

but i first configure the files to see the ocult files and in spite of that i can't find that location.... can you help me once again DavidR?

First to be able to see that it is a hidden folder, you need to show hidden files and folders. Windows Explorer, Tools, Folder Options, View, tick 'Show hidden files and folders.'

The C:\System Volume Information folder is a part of the system restore function and as such is protected by windows. Personally I wouldn't worry about that one (as mauserme said it could be quite large), but I would say you should clean your C:\System Volume Information folder that will remove infected restore points.

Create Clean Restore Point - Clear old Restore Points.
Once you are clear of infection create a clean System Restore point:

1. Click Start, All Programs, Accessories, System tools, System Restore.
2. In the pop-up that appears fill in the radio button to Create a Restore Point
3. Click NEXT
4. Enter a useful name that you will remember if you need to find this again (Clean Restore Point)
5. Click CREATE

You now have a clean restore point, you should clear the old ones:

1. Click Start, All Programs, Accessories, System tools, Disk Clean Up
2. Click OK on the C: drive
3. Click the More Options tab
4. In the System Restore section click the Clean Up button

[KLM]

Very well, as you recomended mauserme:

This are some of the routes of the other trojans:

1) Adware.Virtumonde is in C:\WINDOWS\system32\byxyyyy.dll

2) trojan.Agent.aoy is in C:\System Volume Information\_restore{3CE6A2C2-82B8-4FE8-8902-A9CA6876B112}\RP39\A0005621.exe

The second one has traces in several archives (.exe). I only mentioned one...


And, DavidR. You said that after "cleaning" my system i should create a clean system restore point. By cleaning you mean eliminate all the files and folders infected that are in quarantine in the AVG anti-spyware?, and i was unable to acces to the folder C:\system volume information\ It said that the access was restricted....