Good days everyone,

For the last 3 days I’ve been trying to get rid of this strange “Win32:Trojan-gen. {Delphi}” thing.

The infected files are located under "C:\Documents and Settings\user\Local Settings\Temp"

The infected files don’t have a constant name, except the beginning. The file names’ format is like “~DPxx.dll” The ‘xx’ part is the variable part. Some examples of infected filenames; “~DP24.dll, ~DP24.dll, ~DPF.dll, ~DPD.dll, ~DPB.dll, ~DPC.dll, ~DP10.dll, ~DP11.dll” And the size of the infected file is 55KB.

Also from time to time I find under the same directory some .tmp files. They carry the same filename as the .dll files but just have .tmp extension. And the filesize of these files are always 0KB. I guess that these files are created as I try to delete(and/or repair) the infected .dll file with Avast.

When I try to delete(and/or repair) the file with Avast I just get no results(all files are inaccessible). Avast can’t even access the infected file. So I schedule a boot scan with deepest scan options. Avast deletes the infected file during the boot scan and Windows launches normally. Now at this point there are two possibilities.

1. I check the directory and I see that there are no files everything is cool and ok. But after some time(during the same day and actually the next couple of hours) I start getting the same warning from Avast.
2. I check the directory and unfortunately see the exact same files in place.

Additionally, I’ve alredy disabled System Restore and as well I’ve tried running a complete scan in Safe Mode… Still I can’t get rid of the virus.

Till now I’ve tried every logical method to get rid of this but unfortunately I still haven’t been successful. Above I’ve explained the situation exactly and described everything I have tried. I hope there is some point I have forgotten about or missed that you people can help me with and the problem will be easily solved.

From my side of view the only way left is to install another antivirus and see what happens. I hope you people will be able solve my problem without the aid of another antivirus.

System information;
OS : Windows XP Professional Edition with SP2 and all critical security updates done.
Antivirus : Latest Avast Home Edition version with all updates done.
Firewall : Sometimes Windows Firewall sometimes NONE
Anti-Spy : SpyBot S&D 1.4 with all updates done

Thanks to all in advance,

There would appear to be something else in the mix that is regenerating the problem.

I would say your comment ‘Firewall : Sometimes Windows Firewall sometimes NONE’ speaks volumes, the XP firewall doesn’t provide outbound protection, so there is nothing to stop any malware on your system downloading more of the same. The only thing worse than windows XP’s firewall is NO firewall and you admit to that.

The firewall is an essential part of your system security blocking unauthorised outbound connections is as important as inbound protection, so you need a full firewall a.s.a.p. Jetco has recently done well in the firewall leak tests and the Jetco Personal Firewall version is freeware.

Download, install, update, Ewido Security Suite and run this program. Ewido specialises in trojans and this may well be what is responsible for the regeneration. It would probably be better to run it from safe mode also.

Well yes I’m aware that XP Firewall is of hardly any use but i’m just not comfotable with using any firewall that’s why I preffered leaving the system without any. Cause I’ve always encountered stupid problems with all the different firewalls I tested. But in this case as I’m left without any other solution I’ll try installing both Jetco Personal Firewall and the Ewido Anti-Malware .

I’ll get back with the results ASAP.

Many thanks for the advice, let’s see what happens now…

Well there are plenty of firewall options, Zone Alarm free works OK with avast and it has a relatively friendly user interface.

Overcoming the problems will make you more secure and without a firewall you will be fighting an uphill and probably losing battle with malware.

Welcome to the forums.

Well thanks for the friendly welcome and the quick reply to my problem but unfortunately my problem still is not solved…

I just possibly can’t remove the infected file… Ewido Malware doesn’t even detect the infected file. And I yet have no idea if the Jetico Firewall is doing a good job because the thing is still in my system… Only after I get rid of this thing properly the firewall will prove itself.

I make boot scan for all drives and files, everything and Avast deletes the infected files(as it says) but after XP launches I instantly get the same warning again… Any other ideas ?

Btw I abandoned Zone Alarm after is started blocking all IRC connections though everything was well set up.
And also I abandoned Sygate after it started blocking my HTTP protocol completely again though everything was well set up.
I don’t know may be I should become a Software Tester since I catch all the unexplainable bugs every time

Anyway, still expecting new solutions to the strange problem…

ps Under “C:\Documents and Settings” there are two new folders I never had since I started using XP(approximately since 4 years). Besides the normal user folders I’ve got two extra new folders named “LocalService” and “NetworkService” . I’m not exactly sure but I think these two folders showed up after(or at the same time with) this issue. Or simply it could be something usual which I wouldn’t have come across during the last 4 years just by chance. Any ideas on this too ?

Hi MarduK,

Could you post a HijackThis! log for us to look at?

http://www.bleepingcomputer.com/tutorials/tutorial42.html

Well here goes the HiJackThis! stuff…
The whole thing exceeds 10000 characters so I’m posting it in seperate messages…
Sorry for taking you people’s time and thanks to you guys for spending your time on my problem…

Logfile of HijackThis v1.99.1
Scan saved at 19:40:57, on 11.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
D:\Programs\Jetico\Jetico Personal Firewall\fwsrv.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Programs\ewido anti-malware\ewidoctrl.exe
D:\Programs\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Programs\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Explorer.exe
D:\Programs\FlashGet\flashget.exe
D:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.38:8080
F2 - REG:system.ini: Shell=Explorer.exe winspols.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\Programs\FlashGet\jccatch.dll
O2 - BHO: Acronis Popup Blocker - {E24AD748-155E-4254-B674-4EDF86E7E1DF} - (no file)
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [UnlockerAssistant] D:\Programs\Unlocker\UnlockerAssistant.exe
O4 - HKLM..\Run: [JeticoPFStartup] “D:\Programs\Jetico\Jetico Personal Firewall\fwsrv.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download All by FlashGet - D:\Programs\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - D:\Programs\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programs\FlashGet\flashget.exe
O9 - Extra ‘Tools’ menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\Programs\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://update.microsoft.com
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://officeint.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://193.255.32.21:8080/activex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip..{5A1E6B4C-EE80-43ED-8567-55296D93755A}: NameServer = 192.168.16.182
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - D:\Programs\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Programs\ewido anti-malware\ewidoguard.exe
O23 - Service: ezProxy - ewido networks - (no file)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

[b]StartupList report, 11.03.2006, 19:41:44
StartupList version: 1.52.2
Started from : D:\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

• Using default options
• Showing rarely important sections[/b]

PART - 1

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Programs\Unlocker\UnlockerAssistant.exe
D:\Programs\Jetico\Jetico Personal Firewall\fwsrv.exe
D:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Programs\ewido anti-malware\ewidoctrl.exe
D:\Programs\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Programs\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\Explorer.exe
D:\Programs\FlashGet\flashget.exe
D:\HijackThis\HijackThis.exe

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
UnlockerAssistant = D:\Programs\Unlocker\UnlockerAssistant.exe
JeticoPFStartup = “D:\Programs\Jetico\Jetico Personal Firewall\fwsrv.exe”

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = D:\Programs\Spybot - Search & Destroy\TeaTimer.exe

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = “%ProgramFiles%\Outlook Express\setup50.exe” /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[{tt9381D8F2-0288-11D0-9501-00AA00B911A5}] *
StubPath = C:\WINDOWS\system32\emgfx.exe

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=INI file not found
SCRNSAVE.EXE=INI file not found
drivers=INI file not found

Shell & screensaver key from Registry:

Shell=Explorer.exe winspols.scr
SCRNSAVE.EXE=Registry value not found
drivers=Registry value not found

Policies Shell key:

HKCU..\Policies: Shell=Registry value not found
HKLM..\Policies: Shell=Registry value not found

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

[b]StartupList report, 11.03.2006, 19:41:44
StartupList version: 1.52.2
Started from : D:\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)

• Using default options
• Showing rarely important sections[/b]

PART - 2

Enumerating Browser Helper Objects:

(no name) - D:\Programs\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - D:\Programs\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}
Acronis Popup Blocker - (no file) - {E24AD748-155E-4254-B674-4EDF86E7E1DF}

Enumerating Download Program Files:

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://officeint.microsoft.com/officeupdate/content/opuc3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Performance Viewer Activex Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RACtrl.dll
CODEBASE = https://193.255.32.21:8080/activex/RACtrl.cab

Enumerating Windows NT/2000/XP services

avast! iAVS4 Control Service: “C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe” (autostart)
ATK Keyboard Service: C:\WINDOWS\ATKKBService.exe (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
avast! Antivirus: “C:\Program Files\Alwil Software\Avast4\ashServ.exe” (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
ewido security suite control: D:\Programs\ewido anti-malware\ewidoctrl.exe (autostart)
ewido security suite guard: D:\Programs\ewido anti-malware\ewidoguard.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
InCD Helper: C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SoundMAX Agent Service: C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

End of report, 10.497 bytes
Report generated in 0,109 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Process list saved on 19:45:36, on 11.03.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)

[pid] [full path to filename] [file version] [company name]
688 C:\WINDOWS\System32\smss.exe 5.1.2600.2180 Microsoft Corporation
776 C:\WINDOWS\system32\winlogon.exe 5.1.2600.2180 Microsoft Corporation
820 C:\WINDOWS\system32\services.exe 5.1.2600.2180 Microsoft Corporation
832 C:\WINDOWS\system32\lsass.exe 5.1.2600.2180 Microsoft Corporation
1004 C:\WINDOWS\system32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1184 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
1208 C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe 5.0.0.1 Nero AG
1640 C:\WINDOWS\system32\spoolsv.exe 5.1.2600.2696 Microsoft Corporation
1924 C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe 4.6.753.0
1944 D:\Programs\Unlocker\UnlockerAssistant.exe
1956 D:\Programs\Jetico\Jetico Personal Firewall\fwsrv.exe 1.0.1.61 Jetico, Inc.
1964 D:\Programs\Spybot - Search & Destroy\TeaTimer.exe 1.4.0.2 Safer Networking Limited
192 C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
236 C:\WINDOWS\ATKKBService.exe 1.0.0.0 ASUSTeK COMPUTER INC.
264 C:\Program Files\Alwil Software\Avast4\ashServ.exe 4.6.753.0
1676 D:\Programs\ewido anti-malware\ewidoctrl.exe 3.0.0.1 ewido networks
1712 D:\Programs\ewido anti-malware\ewidoguard.exe 3.0.0.1 ewido networks
1848 C:\WINDOWS\system32\nvsvc32.exe 6.14.10.7189 NVIDIA Corporation
1740 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe 3.2.6.0 Analog Devices, Inc.
1244 C:\WINDOWS\System32\svchost.exe 5.1.2600.2180 Microsoft Corporation
2104 C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe 4.6.763.0 ALWIL Software
2632 D:\Programs\Mozilla Firefox\firefox.exe 1.8.20060.11112 Mozilla Corporation
3348 C:\Program Files\MSN Messenger\msnmsgr.exe 6.2.0.205 Microsoft Corporation
912 C:\WINDOWS\Explorer.exe 6.0.2900.2180 Microsoft Corporation
3512 D:\Programs\FlashGet\flashget.exe 1.7.1.0 Amaze Soft
2532 D:\HijackThis\HijackThis.exe 1.99.0.1 Soeperman Enterprises Ltd.
3572 C:\WINDOWS\system32\notepad.exe 5.1.2600.2180 Microsoft Corporation

ADS Spy Log

C: : {3CE2E02B-C9A6-47a9-BEC1-B9220D387176}ÿ (130 bytes)
C: : {43F6785A-0479-4107-B75A-219D30239221}ÿ (0 bytes)
C:\Documents and Settings\MarduK\Desktop\programlar\benden\Ilac_ for DFX_7.3[herkonu.com].rar : Zone.Identifier (26 bytes)
C:\Documents and Settings\MarduK\Desktop\programlar\benden\Super Internet TV v6.2 Crack.rar : Zone.Identifier (26 bytes)
C:\Documents and Settings\MarduK\Desktop\programlar\benden\Super Internet TV v6.2.rar : Zone.Identifier (26 bytes)
C:\Documents and Settings\MarduK\Desktop\turkmuhendis\mainLogo.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\MarduK\Desktop\turkmuhendis\top_bann_tm.jpg : Zone.Identifier (26 bytes)
C:\Documents and Settings\MarduK\My Documents\CIMG00291.JPG : Zone.Identifier (26 bytes)
C:\Documents and Settings\MarduK\My Documents\various\04080202.wmv : Zone.Identifier (26 bytes)
C:\Program Files\Picasa2\setup.exe : Zone.Identifier (26 bytes)
C:\WINDOWS\Fonts\HDZB_75.TTF : Zone.Identifier (26 bytes)
D:\Ain’t My Life\2002-11D\II.Toplanti\Orj.Fotograflar\Thumbs.db : encryptable (0 bytes)
D:\Ain’t My Life\Making the Moment Eternal\Aile\istanbul\Thumbs.db : encryptable (0 bytes)
D:\Ain’t My Life\Making the Moment Eternal\Aile\konya\Thumbs.db : encryptable (0 bytes)
D:\Ain’t My Life\Making the Moment Eternal\Aile\muhammed\Thumbs.db : encryptable (0 bytes)
D:\Ain’t My Life\Making the Moment Eternal\Baba\Thumbs.db : encryptable (0 bytes)
D:\Ain’t My Life\Making the Moment Eternal\Mehmetefe\thumb\Thumbs.db : encryptable (0 bytes)
D:\Ain’t My Life\Making the Moment Eternal\Mehmetefe\Thumbs.db : encryptable (0 bytes)
D:\emule0.46c-Xtreme4.4\webserver\Thumbs.db : encryptable (0 bytes)
D:\Library'Net\BulletProof FTP Server 2.3.1.exe : Zone.Identifier (26 bytes)
D:\Library'Net\Firefox 1.0.7.exe : Zone.Identifier (26 bytes)
D:\Library'Net\Mercury MSN 1708.exe : Zone.Identifier (26 bytes)
D:\Library'Net\mIRC 6.16.exe : Zone.Identifier (26 bytes)
D:\Library'Net\MSN Messenger 6.2.exe : Zone.Identifier (26 bytes)
D:\Library'Net\MSN Messenger Plus 3.50.124.exe : Zone.Identifier (26 bytes)
D:\Library'Net\NetLimiter 2.0.6 Pro.exe : Zone.Identifier (26 bytes)
D:\Library'Net\Opera 7.54.exe : Zone.Identifier (26 bytes)
D:\Library'Net\PlugProxy 201.zip : Zone.Identifier (26 bytes)
D:\Library'Net\TRKY Dns Ayar.exe : Zone.Identifier (26 bytes)
D:\Library\Audio & Video\DivX 5.21.exe : Zone.Identifier (26 bytes)
D:\Library\Audio & Video\K-Lite Mega Codec Pack 1.20.exe : Zone.Identifier (26 bytes)
D:\Library\Audio & Video\Media Player 10.exe : Zone.Identifier (26 bytes)
D:\Library\Audio & Video\Win Lyrics 2.47.exe : Zone.Identifier (26 bytes)
D:\Library\Cracks\Avast Professional Edition 4.6.691.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\cFOS 6.10.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\Corel DRAW Graphics Suite X3…rar : Zone.Identifier (26 bytes)
D:\Library\Cracks\File Scavenger 3.0.ZIP : Zone.Identifier (26 bytes)
D:\Library\Cracks\FlashGet 1.71.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\NetLimiter 2.0 Pro.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\Recover My Files 3.54.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\Swishmax 1.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\Sygate Personal Firewall Pro 5.5 build 2637.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\Win Lyrics 2.47.zip : Zone.Identifier (26 bytes)
D:\Library\Cracks\Windows Update Crack.zip : Zone.Identifier (26 bytes)
D:\Library\Main Frame\Asus V9520 Magic Display Driver 71.89.zip : Zone.Identifier (26 bytes)
D:\Library\Main Frame\Asus V9520 Magic Enhanced Driver 1.16.zip : Zone.Identifier (26 bytes)
D:\Library\Main Frame\JS2E Runtime Environment 5.0 Update 4.exe : Zone.Identifier (26 bytes)
D:\Library\Psychic Designer\Swishmax 1.0.exe : Zone.Identifier (26 bytes)
D:\Library\Safe & Sound\Avast Professional Edition 4.6.691.exe : Zone.Identifier (26 bytes)
D:\Library\Safe & Sound\File Scavenger 3.0.exe : Zone.Identifier (26 bytes)
D:\Library\Safe & Sound\Recover My Files 3.54.exe : Zone.Identifier (26 bytes)
D:\Library\Safe & Sound\Sygate Personal Firewall Pro 5.5 build 2637.exe : Zone.Identifier (26 bytes)
D:\Library\Sharing\DC++ 0.670.exe : Zone.Identifier (26 bytes)
D:\Library\Uncanny Mixture\Google Earth.exe : Zone.Identifier (26 bytes)
D:\Library\Uncanny Mixture\MBM 5.exe : Zone.Identifier (26 bytes)
D:\Library\Uncanny Mixture\putty.exe : Zone.Identifier (26 bytes)
D:\Library\Uncanny Mixture\Unlocker 1.8.1.exe : Zone.Identifier (26 bytes)
D:\Music\Yabanci\S\Sentenced\sentenced - north from here\Thumbs.db : encryptable (0 bytes)
D:\Psychic Designer Projects\Bahariye Halı (Son)\Thumbs.db : encryptable (0 bytes)
D:\Psychic Designer Projects\Berk Aydin\turkce\Thumbs.db : encryptable (0 bytes)
D:\Psychic Designer Projects\Bermuda Sapka\bemud\sapka\Thumbs.db : encryptable (0 bytes)
D:\Psychic Designer Projects\DoneAjans\admin\Thumbs.db : encryptable (0 bytes)
D:\Psychic Designer Projects\DoneAjans\DUgallery33.zip : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\DoneAjans\elektronik.rar : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\30_03ILAN.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\4st-21ILAN.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\CERCEVE.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\HEY.tif : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\HEYILANN.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\SLOGAN.tif : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\resimler\UNLEM.tif : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\web ana.doc : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\WEB ANASAYFA.xls : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\mailler\Westerdam ile Akdeniz 08 Haziran.doc : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\1_anasayfa.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\CERCEVE.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\logo.tif : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\prag_firsat.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\resort_firsat2.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\SE7_resmifirsat.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\SLOGAN.tif : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\st.pt_firsat3.jpg : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\unlem.tif : Zone.Identifier (26 bytes)
D:\Psychic Designer Projects\Hey Travel Trends\src_img\vegas1_firsat4.jpg : Zone.Identifier (26 bytes)

Your problem is a Trojan horse called ColdFusion and it is a process injecting Trojan which means it starts with Explorer.exe and is therefore hard to remove: it’s impossible to kill the infected process without killing Windows. (Except for anti-malware programs which can remove these injected dll’s like Ewido, but unfortunately, Ewido doesn’t have this one in its definitions.)

http://www.sophos.com/virusinfo/analyses/trojfusionb.html

The offending entry is:

F2 - REG:system.ini: Shell=Explorer.exe winspols.scr

The first thing to try is fixing this entry. Run HijackThis again, tick the box next to this entry and click ‘fix’.

Reboot into safe mode and run a scan with avast!

This is not guaranteed to work as the Trojan is active in memory and may be protecting registry entries. There are also other registry entries associated with the Trojan, as mentioned in the Sophos write up.

If the Trojan is still present, I’d recommend running the free Sophos command line scanner mentioned in the link below. According to the write up, this should fix it.

http://www.sophos.com/support/disinfection/trojan.html

Good luck!

Hi MarduK :

 "Flashget" is "suspect" also, based on the following info
  from www.spywareguide.com :

"Full Name: FlashGet  

Type: Adware
SG Index: 3
Category Description: Adware: Program that creates advertisments on your Pc.

Note that many websites have their own advertising, unrelated to adware.
Adware is any software application in which advertising is displayed while the program is running. The authors of these applications include additional code that delivers the ads, which can be viewed through pop-up windows or through a bar that appears on a computer screen and sometimes through text links or in search results. Adware may or may not track personal information. It may also gather information anonymously or in aggregate only.

Comment: FlashGet is a Downloader that claims to be the faster than other downloaders. But it also installs adwares with it.

Properties: Adds other software "

Thanks a lot FreewheelinFrank and Spiritsongs…

I’ll give it a shot and try FreewheelinFrank’s suggestion and see what happens… I don’t mind struggling to remove this thing as long as I can get rid of it at the end… And I think I’m gonne be in need of that luck FreewheelinFrank

And Spiritsongs; well that’s something I’m aware of too but I don’t think it would cause a such big and hard to solve problem as this one eh?

And all your “Services” appear to be in “automatic” setting,
which may be caused by the trojan. If possible, best to
follow the recommendations found at :
www.tweakhound.com/xp/xptweaks/supertweaks6.htm .

 Since removal of this trojan sounds extremely difficult,
 you may want to ask the Microsoft Most Valuable
 Professional(s) on the forums at www.aumha.net 
 for help !?

Well FreewheelinFrank I haven’t been able to get rid of it after following your suggestion. And I haven’t been able to find the “Free Sophos Command Line Scanner” in the site you provided…?

Spiritsongs thanks a lot for your suggestion to check onthe AumHa forums. I can’t even remember when I last visited those forums so it’s existance was completely off my mind… Anyway I’ve posted all the same stuff there too, let’s see what kind of results am I going to get from there…
And thanks for commenting on the Services… I didn’t even notice the changes, I use my own setting for the Services, thanks again for pointing that out too…

I hope I won’t have to format the system drive and re-install everything in the end ???
Thanks a lot again for all your help

The Sophos scanner is here:

http://www.sophos.com/tools/sav32sfx.exe

The latest updates are here:

http://www.sophos.com/downloads/ide/403_ides.zip

The Sophos page recommends running the scanner from a CD, but it will run from the hard disk assuming the Trojan is not preventing this.

Run SAV32sfx.exe and move the folder produced to the root directory. (C:/)

[EDIT: just checked and C:/SAV32CLI is the default location when unzipping, so there is no need to move the folder.]

Unzip the updates file and move the contents to the same folder.

Reboot into safe mode with command prompt. Navigate to the folder you created:

[Edit: Navigate to the root directory using cd… ]

CD SAV32CLI, I think it should be. [Edit: it is]

Type in this command and hit enter:

SAV32CLI -REMOVE -P=C:\LOGFILE.TXT

Another possibility is TrojanHunter, which will remove process injecting Trojans. (It has a free working trial.)

http://www.misec.net/

To attempt manual removal, delete or edit these registry values and reboot:

The following registry entries are created to run emgfx.exe, nwisse.exe, winspols.scr and svch0st.com on startup:

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components(tt9381D8F2-0288-11D0-9501-00AA00B911A5)
StubPath
\emgfx.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwisse
\nwisse.exe

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe winspols.scr

[Delete winspols.scr NOT the whole key]

(the default value for this registry entry is “Explorer.exe” which causes the Microsoft file \Explorer.exe

to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
System
\SVCH0ST.com

[Edit: regedit will run from the command prompt in safe mode. Explorer.exe is not running in safe mode with command prompt so you should be able to delete the winspols.scr entry from the explorer.exe key without any problem.]

Good luck!