Recovered from trojans -- check is everything all right

Viruses and worms
1

Hello!
My comp was infected by some trojans like win32:onlinegames, win32:delf, win32:downloader (and one or two more). After a long struggle, I have managed to remove them using combined effort of Avast, and spybot S&D. Then the cautions from avast had stopped. Just to make sure, I ran AVG antispyware and detected these trojans again! So, I again deleted them using that.

So though everything seems to be working fine now, I’m posting a HijackThis log here. Pls check out and advice me whether everything is all right.

HijackThis log file starts here

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:59 PM, on 12/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Oracle\Ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\Oracle\Ora81\bin\oradim.exe
C:\WINDOWS\Explorer.EXE

2

C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\vssvc.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wgp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\hcwemMON.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\conime2.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AUTOLO~1\AL2DLL.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM..\Run: [PMCS] “C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe” -host -clearDebug
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe” -start
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

3

O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [hcwemMON] hcwemMON.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Creative WebCam Tray] “C:\Program Files\Creative\Shared Files\CamTray.exe”
O4 - HKLM..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
O9 - Extra ‘Tools’ menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip..{99656CDF-C58E-42B1-9B61-D4E8E2A64D98}: NameServer = 61.1.96.69,61.1.96.71
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Update Service (gupdate) - Google Inc. - C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OracleOraHome81Agent - oracle - C:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Unknown owner - C:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - C:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceURVANG1 - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceURVANG2 - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceURVANGG - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - C:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe


End of file - 11378 bytes

End of Hijackthis log file

4

you may still have problems, run this scanner and post the logs.

Please download Deckard’s System Scanner (DSS) and save it to your Desktop.
[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt – please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

5

First you don’t appear to have an active firewall, what is your firewall ?

If as I suspect it is the XP firewall, it has no outbound protection and you will have difficulty getting your system clean if what is on it can continue to download more of the same.

Suspect - Upload to VirusTotal, send sample to avast if multiple detections on VT, FIX in HJT, see below.

O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AUTOLO~1\AL2DLL.dll
Also see, http://www.google.com/search?q=AL2DLL.dl and one of the hits http://www.file.net/process/al2dll.dll.html.

O4 - HKLM..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe
See http://www.bleepingcomputer.com/startups/comrep-14893.html Added by the W32/Rbot-DNH worm and IRC backdoor.

O17 - HKLM\System\CCS\Services\Tcpip..{99656CDF-C58E-42B1-9B61-D4E8E2A64D98}: NameServer = 61.1.96.69,61.1.96.71

  • Is this your ISP sancharnet.in as that is what the IP address above is for.

Check the suspect file/s at: VirusTotal - Multi engine on-line virus scanner and report the findings here in the topic.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a reference to this topic (give URL) and undetected malware in the subject.

Run HJT again (close any other windows except HJT), tick the box to the left of the suspect entry you wish to fix, click the Fix Selected Button.

Other than that I don’t see anything obvious, but I feel there may be other elements hidden.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode, SUPERantispyware On-Demand only in free version.

Some delf trojans may be hidden, so it may be advisable to run some anti-rotkit tools.
Also see, anti-rootkit, detection, removal & protection http://www.antirootkit.com/software/index.htm. Try these as they are some of the more efficient and user friendly anti-rootkit tools.

6

Hello sir,
Here are some results you have asked for.

Firewall

You are right sir, I was not using any third-party firewall till now. As per your advice, I have now started using Zonealarm personal firewall.

Suspect files

O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AUTOLO~1\AL2DLL.dll
(“AUTOLO~1” is actually “AUTOLOGIN”)
I uploaded this file to VirusTotal and none of the antivirus programs detect it as a virus. Also filesize: 245760 bytes (as given by VirusTotal) is again one of the correct values as per http://www.file.net/process/al2dll.dll.html

O4 - HKLM..\Policies\Explorer\Run: [comrepl32] C:\windows\system32\com\comrepl32.exe
I went to VirusTotal again to upload this file, but this file actually did not exist in the path specified. Instead, a file called “comrepl.exe” exists in the same path. So I uploaded that one to VirusTotal, which again gave 0/32 detections.
As a last resort, I used a free software “EasyCleaner” (which can clean registry among other things) to clean the registry. After cleaning the registry, this result is not coming up in the next HJT log (The one I have posted below).

O17 - HKLM\System\CCS\Services\Tcpip..{99656CDF-C58E-42B1-9B61-D4E8E2A64D98}: NameServer = 61.1.96.69,61.1.96.71
yes these are the dns ip of sancharnet which I have explicitly specified. So I am sure there is nothing wrong with it.

Rootkit

As per your instructions, I downloaded and ran the AVG anti-rootkit. It did not detect any rootkits.

New HijackThis Log :: at 3:08:05 PM, on 12/14/2007
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:05 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Pinnacle\Shared Files\Programs\MediaCenterService\PMC.Service.Main.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe

7

-------HijackThis Log :: at 3:08:05 PM, on 12/14/2007 (continued)-------------------------------

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\wgp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\hcwemMON.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Oracle\Ora81\BIN\TNSLSNR.exe
C:\WINDOWS\system32\ctfmon.exe
c:\oracle\ora81\bin\ORACLE.EXE
C:\Oracle\Ora81\BIN\OWASTSVR.EXE
C:\Oracle\Ora81\bin\oradim.exe
c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Shared Files\CamTray.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\WordWeb\wweb32.exe
C:\WINDOWS\System32\vssvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

8

-------HijackThis Log :: at 3:08:05 PM, on 12/14/2007 (continued)-------------------------------

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=Q106&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://in.rediff.com/index.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: AL2Spy Class - {DC200356-0864-4F66-8964-5D43A19300F5} - C:\WINDOWS\AUTOLO~1\AL2DLL.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [ISUSPM Startup] “C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe” -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe” -start
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [HPBootOp] “C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe” /run
O4 - HKLM..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM..\Run: [WinGuard Pro] C:\WINDOWS\system32\wgp.exe
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [hcwemMON] hcwemMON.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [googletalk] “C:\Program Files\Google\Google Talk\googletalk.exe” /autostart
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [Creative WebCam Tray] “C:\Program Files\Creative\Shared Files\CamTray.exe”
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User ‘Default user’)
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb… - res://C:\WINDOWS\system32\wweb32.dll/lookup.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
O9 - Extra ‘Tools’ menuitem: &Google Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.1.54.0\gears.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra ‘Tools’ menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15030/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip..{99656CDF-C58E-42B1-9B61-D4E8E2A64D98}: NameServer = 61.1.96.69,61.1.96.71
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Update Service (gupdate) - Google Inc. - C:\Program Files\Google\Update\1.0.91.0\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: OracleOraHome81Agent - oracle - C:\Oracle\Ora81\bin\dbsnmp.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: OracleOraHome81DataGatherer - Unknown owner - C:\Oracle\Ora81\bin\vppdc.exe
O23 - Service: OracleOraHome81TNSListener - Unknown owner - C:\Oracle\Ora81\BIN\TNSLSNR.exe
O23 - Service: OracleServiceURVANG1 - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceURVANG2 - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleServiceURVANGG - Oracle Corporation - c:\oracle\ora81\bin\ORACLE.EXE
O23 - Service: OracleWebAssistant0 - Oracle Corporation - C:\Oracle\Ora81\BIN\OWASTSVR.EXE
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - c:\program files\pinnacle\shared files\programs\mediaserver\pmshost.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 11529 bytes

9

No need for formalities on the forums so we can dispense with the sir ;D I’m David.

OK on the al2dll.dll, the suspicion is if it is in the windows folder and though this one wasn’t I though it prudent to check it out.

The entry was specifically for comrepl32.exe, so I’m not surprised a different file comrepl.exe didn’t show any hits on VT. It is a common tactic to use file names close to legit files to confuse. Did you do as I suggested and change the Explorer, Tools, Folder Options so hidden files and folder are displayed (also unhide system files, as this is another tactic to keep them hidden, see image) ?
The HJT log would have marked the entry file missing, etc. if it wasn’t there.

The O17 - HKLM\System\CCS\Services\Tcpip..\ entry is just seeking confirmation that it is your ISP as there are some that point to malicious IPs.

Other than that your new log seems OK.

If you proceed with oldman’s suggestion of Deckard’s System Scanner (DSS) and he can check out that more detailed scans.

10

Yes, I did use ur suggestion abt hidden files/folder & System files (I’m a comp engg. masters student, so u can take my word, the file doesn’t exist ;D)
Actually I had forgotten to write that after my first HJT log, I had done a boot time scan again with avast & it had removed one infected file, so probably it was that one.

I’ll run DSS & post the logs shortly.

PS: meanwhile, just before a few minutes, I got a warnings from avast ??? about onlinegames trojan. Here is the corresponding avast log:
12/15/2007 12:11:36 PM SYSTEM 1380 Sign of “Win32:OnLineGames-BOD [trj]” has been found in “C:\WINDOWS\SYSTEM32\GDQQHXI32.DLL[Upack]” file.

Firstly, I tried to delete the file & got “Access Denied” error. Then, for the same file, I clicked on “Move to chest” and it worked.
Then I scanned the system32 folder with AVG antispyware but it did not detect anything. Also no warning has come afterwards from Avast (in last 15 mins or so).

11

:slight_smile: Hi :

 So that you are forewarned about the possible seriousness of a Delf 
"Infection", read what a Microsoft Most Valuable Professional wrote about it

"The way Delf infections work is that they have a rootkit service entry that protects a DLL. In turn, the DLL protects the rootkit. These will be invisible to Windows APIs and invisible to tools that depend on them, such as REGEDIT. There can be multiple DLLs and multiple rootkit entries, each providing some measure of stealth and removal challenges to each other in a symbiotic relationship.

In the main, Delf will employ userland rootkits, rather than kernel mode rootkits. You need to find and kill the rootkit services. Then go back and remove the now unprotected DLLs.

You can expect that Delf will defeat most rootkit detector utilities. They will not see the rootkits, or if they see them they will be unable to remove them. The current Delf infections are usually from China, and you can expect a lot of tedious work with such utilities as Ice Sword or Dark Spy to remove the rootkit entries, if it is even possible in Normal modes of Windows. With some newer variants you will need to use a WinPE environment, or even Recovery Console, and delete the rootkits manually. This is somewhat challenging as their filenames will change on every restart of the computer.

If, and many do now a days, the Delf infection has kernel level hooks, you might not be able to remove them at all unless you are very skilled at rebuilding native XP or Vista services by hand.

Since the objective of Delf is to steal user informatiion, including passwords, and distribute them to malicious users on the Internet, the best advice I can give you is to reformat and reinstall on clean media. You can expect to have to reformat any hard drive, and any portable media device such as a USB pen drive used with the computer. See my thoughts here: http://aumha.net/viewtopic.php?t=28580

You should consider using a Sophos IDE for this to start. These can be terrificly effective on the smaller Delf infections: http://www.sophos.com/security/analyses/w32delfeyr.html

Instructions for use: http://www.sophos.com/support/knowledgebase/article/363.html

This of course will do nothing for your already compromised user account information and compromised passwords. "

Best to start by using a special program that has been developed to combat
SOME “versions” of this located at
http://users.telenet.be/marcvn/tools/win32delfkil.exe .

12

Here are the two attached log files of DSS.

13

Submit the following files to www.virustotal.com , copy and paste them, one at a time, into the submit a file box on their page and post the results here

C:\WINDOWS\system32\drivers\comint32.sys
C:\WINDOWS\system32\gdqqsgi32.dll

14

With reference spiritsongs rootkit problem there is one tool that may get it and show us where it is

Download avz4.zip from here

[*]Unzip it to your desktop to a folder named avz4
[*]Double click on AVZ.exe to run it.
[*]Run an update by clicking the Auto Update button on the Right of the Log window:
http://rathat.geekstogo.com/images/AVZupdate.jpg

[*]Click Start to begin the update

Note: If you recieve an error message, chose a different source, then click Start again

[*] Start AVZ.

[*] choose from the menu AVZPM and select install

[] Choose from the menu “File” => "Standard scripts " and mark the “Healing/Quarantine and Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[] Automatic scanning, healing and system check will be executed.
[] A logfile (avz_sysinfo.htm) will be created and saved in the LOG folder in the AVZ directory as virusinfo_syscure.zip.
[] It is necessary to reboot your machine, because AVZ might disturb some program operations (like antiviruses and firewall) during the system scan.
[] All applications will work properly after the system restart.

.
When restarted

[*] Start AVZ.

[] Choose from the menu “File” => “Standard scripts " and mark the “Advanced System Investigation” check box.
[] Click on the “Execute selected scripts”.
[*] A system check will be automatically performed, and the created logfile (avz_sysinfo.htm) will be saved in the LOG folder in the AVZ directory as virusinfo_syscheck.zip.

.
Attach both zip files to your next post

15

For info on the above post

AVZPM Monitoring Driver. Monitors launching and killing processes, loading and unloading drivers, thus providing the information required to search for masking drivers and those modifications of structures describing processes and drivers that are created by DKOM Rootkits.

16

Thanks essexboy, I think you are right. Those two files are all I could find in the DSS log. We’ll see what they are when urvang posts back.

I hope he takes your suggestion.

17

@oldman
Virustotal results gave more than 50% detections for both files. I’m attaching the screenshots of virustotal (compact) results here.

19

@essexboy
Attaching “virusinfo_syscure.zip” and “virusinfo_syscheck.zip” here.

(I am not allowed to attach “.zip” files, so have changed the extension to “.txt”; but actually it is “.zip” file. Pls change the extension before unzipping.)

20

I have just sent you a pm with my e-mail address could you mail the zip files to me as the name change corrupted them