Boot time scan issue, help please

Viruses and worms
1

A while ago I started getting .dll access file errors repeatedly in windows, ran an avast scan and it recommended doing a boot time scan. It’s been finding various trojan signatures, but during the scan it found a file within windows and asked if I wanted to move it or not. I went over to this PC to look for advice on what to do, but wen I looked back toward the laptop, the laptop had gone into sleep mode. I hit enter to bring it out of sleep mode, but the screen as remained black, but the disk access is still going mad.

Any suggestions? Is it still running whilst the screen isn’t on and should I leave it to run?

2

If you see disk access, it would suggest it’s scanning - however, it’s not consistent with waiting for your input. Well, maybe you pressed a number and “answered” the question about what to do with the detected file…

I’d suggest to interrupt the scan with the Escape key, because you wouldn’t see anything anyway, should something more be detected.
What is the exact build of avast! you have installed? We tried to prevent the machine from going into power-saving modes during a boot-time scan, but I’m not sure it really works that soon in the boot process…

3

Thanks. I’ve hit escape and tried logging back into windows with no problems. I have access to my files and as a precaution am backing everything I still want up to USB.

The .dll errors have subsided.

I installed today, the latest version off your site (the free one). I was having problems with my current antivirus, which had stopped updating automatically and requires manual updates now. I’m still using it no problems on this computer, but the .dll errors were occuring on my laptop. I scanned using the antivirus but found nothing, but the .dlls were seemingly randomly named files in the C:\windows directory. I was worried, so I removed the antivirus and searched for a free one and found this one. Shortly after installing it found numerous problems, so I right clicked the task bar process and chose run avast. It did a memory scan whilst asking for a registration key, and recommended doing the boot scan, which I accepted.

Prior to this I was also having shutdown problems which I was researching using this computer, but avast shut down the pc fine.

Any suggestions for the next course of action? There’s still a .dll in my windows folder which appears to be a jumble of letters, all lowercase.

As a precaution I’ve changed my login password for every site I can imagine.

I am now running an in windows avast scan of my local drives to see what it finds. Any suggestions for a course of action regarding the suspisciously named ‘iyuhebafideqube.dll’ in C:\WINDOWS? The original .dll errors were complaining that something couldn’t access them, so I presume maybe the trojan was trying and failing to use them?

4

No hits on google, not too good…
nor systemlookup.com

Could you upload that dll to www.virustotal.com and post the link please?

Can you remember any of the other dll errors?

-Scott-

5

Sorry, I did a quick scan of windows folder and it picked up the .dll and moved it, and I’d tested my laptop’s functions to make sure everything was working order then cleared out the chest.

There were a few similarly named .dat files found in the system volume information, so I’m going to scan that in a bit too.

For me, one site I found linked the randomly named dll files with the trojans it was finding, from memory win32:vupa, win32:fasec. It was also finding trojan-gen {other}, and google’s opinion on that ranges from danger to false positive.

The errors I was seeing have gone, though. There were a few .exe files in my temporary internet files, which I have promptly emptied, and it pulled out some temp files in windows\temp as well.

I’m scanning windows again at the moment, then I plan to scan system volume information and the documents and settings folders twice more each. I’m also going to top it off with some anti spyware software. Does that seem like a reasonable plan of attack?

I’ve no clue how these could have got in, but ah well.

Can you remember any of the other dll errors?

No specifics, sorry. If I moved one from the folder, avast picked it up right away, and the error would change to not being able to find the file at all. I presume if the errors are gone and the files too following the boot scan, then maybe I’m in the clear, because it was clearly having issues of its own anyway? T

Anyway, a scan of the windows folder just found nothing. Going to system volume information now.

EDIT: Hmm, looks like I still have one of the dll files in the chest. I’ll upload it in a second.
EDIT2: Definitely a virus. I tried to restore it to upload to that site and avast caught it straight away. Listed ‘win32: vupa crypt’ iirc.

6

SuperAntiSpyware is recommended often here:

http://www.superantispyware.com/

As is Malwarebytes Anti Malware:

http://www.malwarebytes.org/mbam.php

I think that the free versions are only On-Demand though

-Scott-

7

Thanks, I’ll look into it.

I already have malwarebytes open in another tab, was going to do that after the scans had finished.

I’m hoping that I’m more or less clean now, in any case. Is it OK for me to bump this thread in the morning or something to get a few more opinions? Is a HJT log worth uploading too?

8

This will happen indefinately because of the standard shield. (I think that’s the right provider) If the PC is running ok, and avast has secured it in the chest it is probably not really necessary for virustotal. Leave it in the chest for a while to ensure it definitely hasn’t affected the system.

If you feel you may still be infected you could post the logs of the various programs, or just for confirmation that your clean

-Scott-

9

Thanks for your help and advice.

Malwarebytes is running a full scan now. I’ll run a full avast scan after wards to double check.

My only worry is that I presumably stopped the boot time scan early…

10

Here’s my HJT log if anyone’s interested:

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:31:53, on 15/06/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16791) Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Elantech\ETDCtrl.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Malwarebytes’ Anti-Malware\mbam.exe
C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://eeepc.asus.com/global
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://eeepc.asus.com/global
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.churston.torbay.sch.uk:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM..\Run: [AsusTray] C:\Program Files\EeePC\ACPI\AsTray.exe
O4 - HKLM..\Run: [AsusACPIServer] C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
O4 - HKLM..\Run: [AsusEPCMonitor] C:\Program Files\EeePC\ACPI\AsEPCMon.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [ETDWare] C:\Program Files\Elantech\ETDCtrl.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM..\Run: [WinampAgent] “C:\Program Files\Winamp\winampa.exe”
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\RunOnce: [Malwarebytes’ Anti-Malware] C:\Program Files\Malwarebytes’ Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [Google Update] “C:\Documents and Settings\Adam\Local Settings\Application Data\Google\Update\GoogleUpdate.exe” /c
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\msnmsgr.exe” /background (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: SuperHybridEngine.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device… - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send To Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra ‘Tools’ menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000a-7350-4f3c-8081-5663ee0c6c49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780b25-18cc-41c8-b9be-3c9c571a8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} -

11
C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O18 - Protocol: groovelocalgws - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: avast! iAVS4 Control Service (aswupdsv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus (avast! antivirus) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner (avast! mail scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner (avast! web scanner) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\ O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\


End of file - 9383 bytes

12

An analysis of your HJT log shows the following problems :

We didn’t detect any active process of a firewall on your system. Reasons maybe:
(1.) You are using the windows firewall or a hardware firewall.
(2.) You are using a firewall of an unknown vendor.
(3.) You are using a firewall, but for unknown reasons it is disabled
(4.) You don’t use any firewall at all.
We recommend you to use a firewall.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
Unnecessary (deactivated) entry that can be fixed.
http://www.spyandseek.com/Search.php?search_for=7E853D72-626A-48EC-A868-BA8D5E23E045&search=SAS-Search (see first 5 entries)

[b]O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS[/b]
This is not the original which is listed in your HJT log 5 entries above this one. This is a fake update service and might be the source of your problem.

Overview of running tasks :

smss.exe
System task
Session Manager Subsystem

winlogon.exe
System task
Microsoft Windows Logon Process

services.exe
System task
Windows Service Controller

lsass.exe
System task
Local Security Authority Service

svchost.exe
System task
Microsoft Service Host Process

svchost.exe
System task
Microsoft Service Host Process

btwdins.exe
System task
Microsoft Bluetooth Service

svchost.exe
System task
Microsoft Service Host Process

aswUpdSv.exe
Virusscan
Avast Anti-Virus Component

ashServ.exe
Virusscan
Avast

spoolsv.exe
System task
Microsoft Printer Spooler Service

Explorer.EXE
System task
Microsoft Windows Explorer

iviRegMgr.exe
Backgroundtask
RegMgr Module

jqs.exe
Backgroundtask
jqs.exe

AsTray.exe
Unknown task
Unknown task
(The above belongs to either ASUS … http://www.pcpitstop.com/libraries/process/i/AsTray.exe.html … or to Voyetra Audio Station … http://www.bleepingcomputer.com/startups/Astray.exe-347.html … neither of which have to be on at start-up)

svchost.exe
System task
Microsoft Service Host Process

PnkBstrA.exe
Suspicious task (but we know why it is running, right?)
pnkbstra.exe

igfxext.exe
Driver
Intel Common User Interface

svchost.exe
System task
Microsoft Service Host Process

AsAcpiSvr.exe
Unknown task (Part of ACPI driver for EEEPC from ASUS)
Unknown task http://www.pcpitstop.com/libraries/process/i/AsAcpiSvr.exe.html

igfxsrvc.exe
Driver
Intel(R) Common User Interface

AsEPCMon.exe
Backgroundtask
AsEPCMon.exe

jusched.exe
Backgroundtask
Sun Java Update Scheduler

ETDCtrl.exe
Unknown task (belongs to ElanTech touchpad)
Unknown task http://www.glaryutilities.com/startuplibrary/ETDWare=ETDCtrl.exe.html

igfxtray.exe
Application
Intel Graphics configuration and diagnostic application

hkcmd.exe
Application
Intel multimedia devices

RTHDCPL.EXE
Driver
Realtek HD Audio Sound Effect Manager

SOUNDMAN.EXE
Backgroundtask
Realtek Avance Logic Inc

ashMaiSv.exe
Virusscan
Avast Anti-Virus Component

ashWebSv.exe
Virusscan
avast! Web Scanner

GrooveMonitor.exe
Backgroundtask
GrooveMonitor Utility

ashDisp.exe
Virusscan
Avast AntiVirus

ctfmon.exe
System task
Alternative User Input Services

GoogleUpdate.exe
Backgroundtask
GoogleUpdate.exe

GoogleUpdate.exe
Backgroundtask
Google Updater

SuperHybridEngine.exe
Unknown task (belongs to ASUS)
Unknown task http://www.pcpitstop.com/libraries/process/i/SuperHybridEngine.exe.html

svchost.exe
System task
Microsoft Service Host Process

pidgin.exe
Unknown task ( multi-protocol Instant Messaging client)
Unknown task http://www.pcreview.co.uk/startup/pidgin.exe.php

mbam.exe
Anti Add/Spyware software
mbam.exe

chrome.exe
Application
Chrome Browser

chrome.exe
Application
Chrome Browser

chrome.exe
Application
Chrome Browser

HijackThis.exe
Application
Merijn Hijackthis

13

Shall I have HJT fix both those?

I’m running the windows firewall, but I’m open to recommendations for a good free alternative?

EDIT: PnkBstrA.exe is realted to the PunkBuster online gaming anti-cheat service.

14

Just in case you have a rootkit, download this program run and post the results.Wait till your MBAM has finished scanning,and post the results of that too.

http://www.free-av.com/en/products/4/avira_antirootkit_tool.html

15

That required the install of an Avira AntiVir program before it would work, but Avira’s main AntiVirus program won’t connect to the net during installation (proxy settings?)?

EDIT: Never mind, scanning now.

16

Really ? Do you mean it told you , that you have to have Avira AV ? I thought it was a standalone tool, that could be used regardless of which AV you have. Avira AV has its own rootkit scanner, so what would be the point of a standalone one ? ::slight_smile:

17

No, it needs Avira AV.

I’ve gotten it installed and am scanning now. I’ll just uninstall the AV when it’s done so I don’t have 2 AV programs running.

Malwarebytes found nothing, by the way.

EDIT: Avira scan finished, nothing found.

18

Sorry to put you to so much trouble ( although,I never advised you to install 2 AV’s ) .I disagree,with you needing to install Avira AV, all avira programs have rootkit scanners ( free,premium,suite)So there would be no need for a ‘tool’ I have read posts of people without Avira, using the AR tool.I myself have Avira,installing the tool, causes conflicts,with the built in AR scanner. ( I did such,to my regret )
That aside, its an excellent program,and you came clean,thats the main point. :slight_smile:

19

Glad to hear it seems clean.

I’m doing an Avira scan on my desktop computer right now and it’s also found one or two win32:fasec signatures so far (the scan is taking ages though).

Google says the fasec trojan is linked to fake antivirus programs, but I’ve not seen any of the sort on the PC.

20

I’m off now. I seriously do not recommend scanning your pc with 2 resident AV,s going. If Avira finds anything, post back with the results. You are better off doing an online ( on demand scan ). Even then these programs recommend turnig off you resident AV

http://housecall.trendmicro.com/uk/

http://www.eset.com/onlinescan/