system
December 26, 2005, 11:35pm
1
I keep getting annoying pop up messages continuously like the following:
[b]avast! connection timeout
Internet connection timeout elapsed. Continue waiting ?
(winlogon.exe → mta-v1.level3.mail.vip.mud.yahoo.com:25 )
YES - NO [/b]
The address bit (after winlogon) is different every time.
In addition my browser is slow and there is a strange looking blue screen in my task bar that displays those strange addresses when the mouse is placed over it but it is not clickable.
I had a virus incident earlier and avast identified some.
But there was another process called “sywscvs.exe” which is known to be malware and it was appearing in the popup screen in place of “winlogon”. This one I terminated and deleted but the problem continues.
I don’t know what settings to modify and I believe it is a virus (that cannot be handled effectively by avast).
At one stage the computer shut down, after winlogon tried to access something like an illegal memory.
system
December 27, 2005, 1:09am
2
that blue screen looking like program is also shown in “control panel - taskbar properties” and it keeps chaning name continuously !
system
December 27, 2005, 1:23am
3
grunewald,can you get avast to do a boot time scan?
system
December 27, 2005, 2:00am
4
I tried adaware and it removed something.
When I rebooted the machine the blue thing was n’t there but it came back a little afterwards.
I start boot scan in the morning - can’t tell it’s going to complete without crash.
May be it needs hijack and some other removal tool associated with it - I used to have those.
system
December 27, 2005, 11:22am
5
I did boot time scan and nothing showed up - problem remains
system
December 27, 2005, 11:48am
6
HIJACK LOG
Logfile of HijackThis v1.99.1
Scan saved at 1:45:55 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\BINN\SQLSERVR.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\LSASS.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Temp\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cosmicway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [MSOffice32] C:\WINDOWS\system32\msjcf.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU..\Run: [Shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”
O4 - HKCU..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134350571345
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
DavidR
December 27, 2005, 3:02pm
7
This is an on-line analysis of your log file http://hijackthis.de/logfiles/2c36856b32aa201ed22663c144830f31.html there are a couple of Unknown entries and 1 classed as Nasty, they can also be scanned via the site. A handy bookmark for the future http://hijackthis.de .
Fix these
O4 - HKLM..\Run: [MSOffice32] C:\WINDOWS\system32\msjcf.exe
See http://www.bleepingcomputer.com/startups/MSOffice32-13683.html
O4 - HKCU..\Run: [aupd] C:\WINDOWS\system32\sywsvcs.exe
See http://www.liutilities.com/products/wintaskspro/processlibrary/sywsvcs/
Nasty
O4 - HKCU..\Run: [Shell] “C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe”
See http://www.bleepingcomputer.com/startups/Shell-12302.html
system
December 27, 2005, 8:45pm
8
Deleted the above files from safe mode, using “autoruns” - the stuff reappeared nevertheless.
The new hijack log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:53:26 PM, on 12/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\BINN\SQLSERVR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Temp\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cosmicway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134350571345
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
system
December 27, 2005, 9:17pm
9
Your HijackThis log is clean.Have you tried these online scanners? Trend Micro Housecall , Bitdefender online scan , Kaspersky online scan
system
December 28, 2005, 12:42am
10
I will try those scanners now.
Tried spybot also but it says “nothing found”.
What about winlogon.exe ?
That’s the one appearing in the Avast message as well.
system
December 28, 2005, 9:54am
11
Kasperski found 15 viruses but he 's not removing them
Number of viruses found: 15
Number of infected objects: 55
Number of suspicious objects: 0
Duration of the scan process: 10447 sec
Infected Object Name - Virus Name
C:\Documents and Settings\nick\Local Settings\Temp\782.tmp Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\nick\Local Settings\Temp\a.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\nick\Local Settings\Temp\jav1.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav2.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav3.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav4.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav5.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav6.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav7.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav76B.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav8.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav9.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\javA.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\javB.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\javC.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\javD.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\8R4JQHGV\1[1].htm Infected: Exploit.HTML.Mht
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\8R4JQHGV\mng[1].exe Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\8R4JQHGV\ms1[1].txt Infected: Trojan-Downloader.Win32.Tiny.al
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\SDUFSDIJ\kl[1].txt Infected: Trojan-PSW.Win32.Agent.bu
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\SDUFSDIJ\tool3[1].txt Infected: Packed.Win32.Klone.b
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\UN4TQDO7\free[1].anr Infected: Trojan-Downloader.Win32.Ani.c
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\UN4TQDO7\loaderadv470[1].exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\UN4TQDO7\paradise[1].raw Infected: Packed.Win32.Klone.b
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\UN4TQDO7\toolbar[1].txt Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\YDML4PC7\country[1].htm Infected: Trojan-Dropper.Win32.Raven
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\YDML4PC7\drsmartload[1].exe Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\YDML4PC7\hosts[1].txt Infected: Trojan.Win32.Qhost.el
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\YDML4PC7\tool1[1].txt Infected: SpamTool.Win32.Mailbot.o
C:\Documents and Settings\nick\Local Settings\Temporary Internet Files\Content.IE5\YDML4PC7\xpladv470[1].wmf Infected: Trojan-Downloader.Win32.Agent.acd
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP104\A0014216.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014264.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014277.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014287.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014305.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014311.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014417.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014424.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014440.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014452.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014464.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014476.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP105\A0014489.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP106\A0014544.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP106\A0014550.sys Infected: SpamTool.Win32.Mailbot.b
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP106\A0014552.exe Infected: Trojan-Dropper.Win32.Raven
C:\System Volume Information_restore{A58A4824-291E-490A-8270-91BA662BA92F}\RP106\A0014556.sys Infected: SpamTool.Win32.Mailbot.b
C:\WINDOWS\country.exe Infected: Trojan-Dropper.Win32.Raven
C:\WINDOWS\hosts Infected: Trojan.Win32.Qhost.el
C:\WINDOWS\kl.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\WINDOWS\ms1.exe Infected: Trojan-Downloader.Win32.Tiny.al
C:\WINDOWS\system32\paradise.raw Infected: Packed.Win32.Klone.b
C:\WINDOWS\tool1.exe Infected: SpamTool.Win32.Mailbot.o
C:\WINDOWS\tool3.exe Infected: Packed.Win32.Klone.b
C:\WINDOWS\toolbar.exe Infected: Trojan-Downloader.Win32.Adload.j
Scan process completed.
system
December 28, 2005, 10:41am
12
First you’ll have to disable SYSTEM RESTORE and clean it out(if you don’t know how click HERE and read my post i posted screenshots on how to do it) also clean out your temporary internet files, then run Kaspersky online scanner again except this time click CLEAN INFECTIONS(or something like that i don’t remember what it was since it’s been a long time kaspersky detected an infection with me) after the scan is finished OK?
DavidR
December 28, 2005, 12:38pm
13
These and some others are also in Temp so you need to clear all temp locations.
C:\Documents and Settings\nick\Local Settings\Temp\782.tmp Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\nick\Local Settings\Temp\a.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\nick\Local Settings\Temp\jav1.tmp Infected: Trojan-Spy.Win32.Hsow.d
C:\Documents and Settings\nick\Local Settings\Temp\jav2.tmp Infected: Trojan-Spy.Win32.Hsow.d
It is helpfull to periodically clear out the temp folders, before a major scan as this will remove the need to scan many files in temp locations. Here are a couple of tools to help with that [url=http://www.clearprog.de/][b]ClearProg - Temp File Cleaner[/b][/url] or [url=http://www.filehippo.com/download_ccleaner/][b]CCleaner - Temp File Cleaner, etc.[/b][/url]
system
December 28, 2005, 6:06pm
14
You can also use Internet Sweeper to clean out your temp. files as well as history, etc. You can set it to clean what you want to be cleaned. Internet Sweeper can be set to clean each time the computer is started.
http://www.geocities.com/Internet_Sweeper/
Hope this helps you.
system
December 28, 2005, 11:19pm
15
Used Kasperski free trial and it deleted some 20-30 viruses, including the offending msctl32.dll (using the delete at start up option).
I don’t see the avast related timeout message now but unfortunately the spam machine came back to life.
It does n’t have a name either, but its icon looks like a grey monitor with a bluo screen (is it called etowin ?).
Also when I ran Kasperski for the first time, I left it unattended because it was taking long and the pc crashed with a “winlogon” error screen.
re. disable system restore - ran kasperski in safe mode and it does n’t allow
Is avast now capable to deal with the situation ?
Below is the new hijack logfile:
Logfile of HijackThis v1.99.1
Scan saved at 1:19:03 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
C:\WINDOWS\SYSTEM32\SWEEPER.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\MSSQL\BINN\SQLSERVR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Temp\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cosmicway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe” /minimize
O4 - HKLM..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134350571345
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
modification: “avast connection time” out returned now
DavidR
December 28, 2005, 11:54pm
16
Now you have two resident AVs installed, which is not to be reccommended.
This can cause conflict as one accesses a file for scanning the other can lock it to also scan it and could possibly why there is trouble deleting stuff.
What is this, it could be uninstall bitdefender on-line scan, but with no name and file missing, I would suggest fix in HJT:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
system
December 29, 2005, 1:15am
17
Fixed “bdoscandel” and rebooted.
Spam engine back now the old threats removed by kasperski back to life, including msctl32.dll.
Should I remove kasperski now ? it’s only a trial copy.
Logfile of HijackThis v1.99.1
Scan saved at 3:10:42 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
C:\MSSQL\BINN\SQLSERVR.EXE
C:\WINDOWS\SYSTEM32\SWEEPER.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Temp\hijack\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cosmicway.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kav.exe” /minimize
O4 - HKLM..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\MSMSGS.EXE” /background
O4 - HKCU..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Kaspersky Anti-Hacker.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Hacker\KAVPF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1134350571345
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\system32\msctl32.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
system
December 29, 2005, 2:09am
18
Looks like threat is gone after last action (bdoscandel), although it seemed bleak:
first Kasperski produced a message about msctl32.dll but could not delete it
rebooted
went to hijack this and fixed msctl32.dll entry
Kasperski produced the message again but this time delete worked
after reboot no sign of spam engine in task bar programs (30 minutes now).
If OK now should I uninstall Kasperski and return to Avast ?
Of course I 'd have to purchase Kasperski to keep using it.
system
December 29, 2005, 12:54pm
19
Grunewald,
I’ve been having the same problem.
I scanned with Kaspersky too and found 9 threats, including msctl32.dll and i386p.sys.
Kaspersky could not delete msctl32.dll and would delete it at system startup.
After restart it seemed the threat was gone, but after +/- 20 minutes avast indicated that the sending of spam messages had started yet again…
I don’t know what to do about this now… and I would appreciate any advise or help.
Here’s my HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 13:16:18, on 29-12-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\anvshell.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\Caere\OmniPagePro90\opware32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\VCClient\VCClient.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Hanno\Bureaublad\hj\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [anvshell] anvshell.exe
O4 - HKLM..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM..\Run: [pdfFactory Pro Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro90\opware32.exe
O4 - HKLM..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KAVPersonal50] “C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe” /minimize
O4 - HKLM..\RunServices: [Microsoft Update] wumgrd.exe
O4 - HKLM..\RunServices: [Microsoft Update Config] winsl.exe
O4 - HKCU..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O8 - Extra context menu item: &Google Zoeken - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Woord vertalen in het Nederlands - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Gelijkwaardige pagina’s - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina’s - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O10 - Broken Internet access because of LSP provider ‘c:\windows\system32\nutafun4.dll’ missing
O15 - Trusted Zone: http://.billingnow.com
O15 - Trusted Zone: http:// .reliablestats.com
O15 - Trusted Zone: http://.winantispyware.com
O15 - Trusted Zone: http:// .winantivirus.com
O15 - Trusted Zone: http://.winantiviruspro.com
O15 - Trusted Zone: http:// .winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O17 - HKLM\System\CCS\Services\Tcpip..{4CC546FD-5040-449B-A615-D62FD7418DF3}: NameServer = 192.168.1.254
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - “C:\PROGRA~1\MSNMES~1\msgrapp.dll” (file missing)
O20 - Winlogon Notify: NetCache - C:\WINDOWS
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: %NVSVC.name% (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
system
December 29, 2005, 2:40pm
20
try those methods as described above, autoruns, hijackthis and kasperski, until the viral processes are deleted.
msctl32.dll is attached to winlogon at startup so the antivirus finds the application open and cannot delete - also if you terminate winlogon the computer shuts down. But msctl32.dll can be deleted at startup.
you may also use google search to see which of the processes described in your hijack log are illegitimate - I don’t recognize them off hand but some of the are illegitimate.