Problems with a virus

Whenever I open the internet explorer,
there is always a virus called "Win.Small-EPO [trj].
from a website, [www.adxxxo.cn/bind_32.exe],
but i have never gone to this website…

Avast! 4 Home then will open a window tells me to click the disconnet button,
but after disconneted, another Win.Small-EPO[trj] is here again!

How to solve this problem? Thank you very much!

Strange, I couldn’t find that site… neither the file of course.
I couldn’t scan the file with Dr. Web or even test it…
Can you post a screenshot?

To know how to post a screenshot, see http://forum.avast.com/index.php?topic=8982.0
You can use Gadwin PrintScreen to get a screenshot (http://www.gadwin.com/printscreen/) or the free version of WinSnap 1.1.10 (http://www.filehippo.com/download_winsnap/?2173).

Thanks very much.
This condition only occurs in another account in my computer.
Where can I find the virus record from Avast?

I have got it.

  • VPS: 000749-1, 15/06/2007

hxxp://www.adonga.cn/233.exe[Embedded#1][ASPack][Embedded#0f4664][Embedded#08040] [L] Win32:Adware-gen. [Adw] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)
hxxp://www.adxxxa.cn/bind_50110.exe [L] Win32:Small-EPO [trj] (0)

These websites I have never gone before.

Well it looks like you may have a trojan downloader on your system that is visiting the sites to download its payload. DrWeb link checker confirms 233.exe is infected although it doesn’t detect anything for bind_50110.exe I would tend to believe the avast detection especially since ‘you’ didn’t visit the site nor initiate the download.

You need to modify your post so the links aren’t active to avoid accidental exposure, e.g. http :// www . adonga.cn /233.exe\ - http :// www . adonga.cn / bind_50110.exe

What is your firewall ?
It should be capable of blocking unauthorised outbound Internet Connections and winXp’s doesn’t provide outbound protection.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log (see instructions below) in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

I use Comodo Firewall.
Whenever I log into msn/open the internet explore, it will bring out a window to let me choose “accept/no”.
If I like “NO”, I couldn’t surf to the net.

Thanks for your help.

Just a quick post I’m on my way out.

This is suspect no google hits, run HJT again and tick the Fix box to the left of the entry.
O2 - BHO: (no name) - {C74CDF30-68C2-49B4-9918-EBD66B8D9FBF} - C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
Suspect:
O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)
O21 - SSODL: DCOM Server 2236 - {2C1CD3D7-86AC-4068-93BC-A02304BB2236} - (no file) (I don’t know why you would need a DCOM Server, although the entry indicates no file, possibly SpySheriff)

Log file by Combofix:

ComboFix 07-06-18.2 - C:\Documents and Settings\Anthony\桌面\ComboFix.exe
“Anthony” - 2007-06-19 23:12:19 - Service Pack 2 NTFS

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\124.dll
C:\WINDOWS\19124.exe
C:\WINDOWS\227.dll
C:\WINDOWS\227.exe
C:\WINDOWS\233.exe
C:\WINDOWS\system32\1005_1016_0501_1-227.exe
C:\WINDOWS\system32\1005_1019_0501_1-233.exe
C:\WINDOWS\system32\dlh9jkdq8.exe
C:\WINDOWS\system32\msxml3a.dll

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_NPF
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))

2007-06-19 23:10 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-03 03:35 4,733,788 --a------ C:\WINDOWS\SYSTEM32\dmap_01200019124.exe
2007-05-29 02:08 581,632 --a------ C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
2007-05-29 02:07 581,632 --a------ C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll
2007-05-29 02:07 0 --a------ C:\WINDOWS\resouese.dll
2007-05-29 01:28 4,096 --ahs---- C:\WINDOWS\SYSTEM32\Advpak.dll
2007-05-29 01:26 d-------- C:\Program Files\Autow
2007-05-26 17:39 d-------- C:\Program Files\peal

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-30 20:04:36 -------- d–h–w C:\Program Files\WindowsUpdate
2007-05-17 11:07:24 -------- d-----w C:\DOCUME~1\Anthony\APPLIC~1\Ulead Systems
2007-05-17 07:23:51 -------- d-----w C:\DOCUME~1\Anthony\APPLIC~1\AdobeUM
2007-05-16 15:11:50 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 13:19:07 -------- d-----w C:\DOCUME~1\Anthony\APPLIC~1\Comodo
2007-05-06 09:59:51 -------- d-----w C:\Program Files\Comodo
2007-05-06 09:38:52 -------- d–h–w C:\Program Files\InstallShield Installation Information
2007-05-03 16:21:12 -------- d-----w C:\Program Files\FinalBurner
2007-05-01 16:52:38 -------- d-----w C:\Program Files\Alwil Software
2007-05-01 12:50:48 -------- d-----w C:\Program Files\Kaspersky Lab
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-04-28 10:47:39 319,112 ----a-w C:\WINDOWS\system32\prfh0404.dat
2007-04-28 10:47:38 107,426 ----a-w C:\WINDOWS\system32\prfc0404.dat
2007-04-25 14:22:29 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 14:47:36 33,624 -c–a-w C:\WINDOWS\system32\wups.dll
2007-04-16 14:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 14:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 14:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 14:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 14:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 14:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 14:45:20 43,352 -c–a-w C:\WINDOWS\system32\wups2.dll
2007-04-11 06:44:33 1,843,200 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-20 14:34:29 102,440 -c–a-w C:\WINDOWS\system32\GDIPFONTCACHEV1.DAT
2005-07-14 04:31:20 27,648 --sha-r C:\WINDOWS\SYSTEM32\AVSredirect.dll
2005-06-26 07:32:28 616,448 --sha-r C:\WINDOWS\SYSTEM32\cygwin1.dll
2005-06-21 14:37:42 45,568 --sha-r C:\WINDOWS\SYSTEM32\cygz.dll
2005-02-28 05:16:22 240,128 --sha-r C:\WINDOWS\SYSTEM32\x.264.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“McAfeeUpdaterUI”=“C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe” [2004-08-06 03:50]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2004-09-13 15:49]
“BluetoothAuthenticationAgent”=“bthprops.cpl” [2004-08-04 00:57 C:\WINDOWS\SYSTEM32\bthprops.cpl]
“Boostweb”=“C:\PROGRA~1\BoostWEB\bwc.exe” [1999-03-08 13:50]
“MessengerPlus3”=“C:\Program Files\MessengerPlus! 3\MsgPlus.exe” [2007-02-21 22:12]
“PCSuiteTrayApplication”=“C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe” [2005-12-13 08:49]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-04-30 23:42]
“COMODO Firewall Pro”=“C:\Program Files\Comodo\Firewall\CPF.exe” [2007-05-06 19:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 00:47]
“MessengerPlus3”=“C:\Program Files\MessengerPlus! 3\MsgPlus.exe” [2007-02-21 22:12]
“MSMSGS”=“C:\Program Files\Messenger\msmsgs.exe” [2004-10-14 00:24]
“msnmsgr”=“C:\Program Files\MSN Messenger\msnmsgr.exe” [2006-07-29 19:33]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
“appinit_dlls”=wbsys.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
Usnsvc usnsvc


catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 23:31:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services{00001000-0000-1000-8000-00805f9b34fb}]

Completion time: 2007-06-19 23:53:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt … 2007-06-19 23:53

--- E O F ---

Oh I see…
What’s DCOM Server mean?

My problem state before is still here, how can I solve it? Thank you all

Windows has a DCOM service that generally no one needs, so I can’t see a need to have a dedicated DCOM Server and the DCOM functionality is one which there were many vulnerabilities which were being exploited. So it is also important to ensure your Operating System is fully up to date.

http://www.updatexp.com/dcom-windows-xp.html
http://computing-dictionary.tfd.com/DCOM

I actually needed a HJT log run after ComboFix. Could you post another HJT log for me? :slight_smile:

Thanks for your help.

Thanks for answering

There are a few suspicious files showing in ComboFix that have not been removed. Please upload these to Virus Total for analysis and post the results

C:\WINDOWS\SYSTEM32\dmap_01200019124.exe
C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll
C:\WINDOWS\resouese.dll
C:\WINDOWS\SYSTEM32\Advpak.dll

Your HJT log looks OK - just some clean up. Open HJT again and click to Run a System Scan Only. When complete, place a check mark next to these lines:

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O21 - SSODL: kOOlcBW - {34FCC55B-9E56-6FF1-0736-9AA66414657F} - (no file)

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

Next, close all windows including your browser and click Fix Checked.

This line appears to be a remant of Windows Blinds

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\

Is that program functioning correctly for you? There seems to be a missing file.

Also, are you familiar with the sites shown in these lines?:

O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab

O16 - DPF: {20C2C286-BDE8-441B-B73D-AFA22D914DA5} (PowerList Control) - http://download.ppstream.com/bin/powerplayer.cab

O16 - DPF: {5EC7C511-CD0F-42E6-830C-1BD9882F3458} - http://download.ppstream.com/bin/powerplayer.cab

What is the current status of the trojan warnings?

Thanks mauserme.

Here is the result(I couldn’t scan resource.dll, it said it couldn’t recieve a file from my computer):

C:\WINDOWS\SYSTEM32\dmap_01200019124.exe

STATUS: FINISHEDComplete scanning result of “dmap_01200019124.exe”, received in VirusTotal at 06.21.2007, 19:18:57 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 no virus found
Authentium 4.93.8 06.21.2007 no virus found
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.20.2007 no virus found
eTrust-Vet 30.8.3731 06.21.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.21.2007 No threat detected
Fortinet 2.91.0.0 06.21.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
Ikarus T3.1.1.8 06.21.2007 no virus found
Kaspersky 4.0.2.24 06.21.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 no virus found
Panda 9.0.0.4 06.20.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.21.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.20.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 no virus found

C:\WINDOWS\SYSTEM32\pvpkelepwc.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 Win-Trojan/Ieser.581632
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.Ieser.C.6
Authentium 4.93.8 06.21.2007 W32/Trojan.APKF
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.20.2007 no virus found
eTrust-Vet 30.8.3731 06.21.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.21.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 W32/Ieser.C!tr.dldr
F-Prot 4.3.2.48 06.21.2007 W32/Trojan.APKF
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Ieser.c
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Delf.asz
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Ieser.c
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 no virus found
Panda 9.0.0.4 06.20.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.09.2007 no virus found
Symantec 10 06.21.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.20.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.Ieser.C.6

C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 Win-Trojan/Ieser.581632
AntiVir 7.4.0.34 06.21.2007 TR/Dldr.Ieser.C.6
Authentium 4.93.8 06.21.2007 W32/Trojan.APKF
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.20.2007 no virus found
eTrust-Vet 30.8.3731 06.21.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.21.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 W32/Ieser.C!tr.dldr
F-Prot 4.3.2.48 06.21.2007 W32/Trojan.APKF
F-Secure 6.70.13030.0 06.20.2007 Trojan-Downloader.Win32.Ieser.c
Ikarus T3.1.1.8 06.21.2007 Trojan-Downloader.Win32.Delf.asz
Kaspersky 4.0.2.24 06.21.2007 Trojan-Downloader.Win32.Ieser.c
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 no virus found
Panda 9.0.0.4 06.20.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.21.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.20.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 Trojan.Dldr.Ieser.C.6

C:\WINDOWS\SYSTEM32\Advpak.dll

Antivirus Version Update Result
AhnLab-V3 2007.6.21.1 06.21.2007 no virus found
AntiVir 7.4.0.34 06.21.2007 no virus found
Authentium 4.93.8 06.21.2007 no virus found
Avast 4.7.997.0 06.21.2007 no virus found
AVG 7.5.0.467 06.20.2007 no virus found
BitDefender 7.2 06.21.2007 no virus found
CAT-QuickHeal 9.00 06.21.2007 no virus found
ClamAV devel-20070416 06.21.2007 no virus found
DrWeb 4.33 06.21.2007 no virus found
eSafe 7.0.15.0 06.20.2007 no virus found
eTrust-Vet 30.8.3731 06.21.2007 no virus found
Ewido 4.0 06.21.2007 no virus found
FileAdvisor 1 06.21.2007 no virus found
Fortinet 2.91.0.0 06.21.2007 no virus found
F-Prot 4.3.2.48 06.21.2007 no virus found
F-Secure 6.70.13030.0 06.20.2007 no virus found
Ikarus T3.1.1.8 06.21.2007 no virus found
Kaspersky 4.0.2.24 06.21.2007 no virus found
McAfee 5058 06.21.2007 no virus found
Microsoft 1.2607 06.21.2007 no virus found
NOD32v2 2343 06.21.2007 no virus found
Norman 5.80.02 06.21.2007 no virus found
Panda 9.0.0.4 06.20.2007 no virus found
Sophos 4.18.0 06.21.2007 no virus found
Sunbelt 2.2.907.0 06.16.2007 no virus found
Symantec 10 06.21.2007 no virus found
TheHacker 6.1.6.136 06.20.2007 no virus found
VBA32 3.12.0.2 06.20.2007 no virus found
VirusBuster 4.3.23:9 06.21.2007 no virus found
Webwasher-Gateway 6.0.1 06.21.2007 no virus found

It seems that many hidden viruses are in my computer although I have done a virus scan by avast! home…
My computer had been repaired for so many times…coz of viruses!
Don’t know whether all viruses has been deleted right now…(it runs slow)
How may I solve the problems?
Is that the HJC Log tells the suspicious files?
Really thanks, I am an idiot of computer… :frowning:

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ ?
What’s that? ???

The trojan warning problem has finally solved.
Thanks for helping. :slight_smile:

With all this malware hiding in the system folders you need to consider preventative measures.

You might also consider proactive protection, in order to place files in the system folders and create registry entries you need permission. Prevention is much better and theoretically easier than cure.

Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Hi again chinhis13. Sorry I’ve been away for so long - I wasn’t getting notifications that you had posted a response.

Please download OTMoveIt by OldTimer and save it to your desktop.

Next, double-click OTMoveIt.exe to run it.
Copy the file path below to the clipboard by highlighting it and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\pvpkelepwc.dll
C:\WINDOWS\SYSTEM32\mrmnxjtiyd.dll

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply with a new Hijack log.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Also, try to upload C:\WINDOWS\resouese.dll to Virus Total again (please note that the file name is a misspelling of “resource” when you’re looking for it).

[It seems that many hidden viruses are in my computer although I have done a virus scan by avast! home.. My computer had been repaired for so many times..coz of viruses! Don't know whether all viruses has been deleted right now...(it runs slow) How may I solve the problems? Is that the HJC Log tells the suspicious files? Really thanks, I am an idiot of computer...

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ ?
What’s that?

I am familiar with PPSTREAM. But another(O16 - DPF: i.Game MJImpressYHK - http://202.43.223.148/client/MJc/com/igame/MJImpressYHK.cab), doesn’t.

Is there any problem with this software(ppstream)?
I heard some from internet is that it maybe get files in the computer…

The trojan warning problem has finally solved.


Sometimes its HJT, sometimes other tools, that pinpoint the suspicious files. In this case ComboFix was more usefull (so far).

The fact that you are no longer getting trojan warnings is a good sign - we’ve made some progress. But you’re not clean yet.

O20 - Winlogon Notify: WBSrv - C:\WINDOWS\ seems to be part of a program called Windows Blinds but there is a missing file. Do you know this program? Is it working correctly?

I’m still researching the ppstream, etc.

Thanks David very much. I will try it now. :slight_smile: