1

Hello everybody,

when I was working at my PC today, surfing in the internet, suddenly avast! announced to have found two trojans in my C:\WINDOWS\SYSTEM32 - Folder (On-Access-Search).
I moved them into the Chest and checked afterwards, which files were infected. They are called: rlx51dom.dll and rlx66dob.sys
The thing that surprises me is, that in the “properties” there’s written, the last change/access to this file had been two hours ago when I was definitely NOT working at my PC because I was not at home.

I run HiJackThis and I have to say, I blame myself for not having Windows SP2. Do not hit on me now, please, I didn’t know I didn’t download it! I was pretty sure having SP2 installed and was shocked when HJT wrote me I haven’t!

The log is below. I fear that the only thing I can do now is rebuild my system, or can I do something else?

Oh, before I forget: When I installed avast! first, it announced some viruses in the System Volume Information. But I came to the conclusion that this were my old files from Avira AntiVir, which I used before, because avast! found the same files (same last access, same size etc.) in the folder where I found an older version of AntiVir. Now I fear that I came to a false conclusion back then…

Or is it possible that avast! found the files because they include some information on the virus Goldun-IF itself? So that avast! detected its own files? Just because it was today, and I found out that the Goldun-IF had been recently reported and included in the virus databases…
Most probably not… :cry:

Please don’t blame me for my foolishness regarding SP2. Is it useful to download it now or should I just do the format c: and download it then?

Sad greetings,
Einoel

2

Here the HijackThis-Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 19:01:44, on 14.04.2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Scroll Mouse\4DMAIN.EXE
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\ICQLite\ICQLite.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Programme\WinRAR\WinRAR.exe
C:\DOKUME~1\Jule\LOKALE~1\Temp\Rar$EX00.172\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmx.de/
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\toolbaru.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - C:\Programme\GMX\GMX Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar2.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Programme\ICQToolbar\toolbaru.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM..\Run: [PromulGate] “C:\Programme\DelFin\PromulGate\PgMonitr.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Programme\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [WheelMouse] C:\Programme\Scroll Mouse\4DMAIN.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [ICQ Lite] “C:\Programme\ICQLite\ICQLite.exe” -minimize
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\RunOnce: [ICQ Lite] C:\Programme\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Google Search - res://c:\programme\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Im Cache gespeicherte Seite - res://c:\programme\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Verweisseiten - res://c:\programme\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Ähnliche Seiten - res://c:\programme\google\GoogleToolbar2.dll/cmsimilar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

3

Did you uninstall Antivir to install avast?
I suggest you disable system restore feature, schedule a boot time scanning with avast, boot, send any infected file to Chest, enable system restore again.

It’s possible if the original file is packed (zip) and avast unpack it to scan it… but avast can handle this temporary files.

4

Hi Einoel,

Your HijackThis! log looks OK apart from one spyware entry:

http://www.castlecops.com/s2849-PromulGate.html

But the two infected files you mention belong to the Haxdoor rootkit:

http://www.bleepingcomputer.com/startups/rlx51dom-17241.html

http://www.bleepingcomputer.com/startups/hijackthis/O23.html

You should run a couple of anti-rootkit scans to check for rootkits, and remove any found, and then post a new HijackThis! log to see if anything shows up.

You need to run HijackThis! from a permanent folder, by the way. See here:

http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore

I would recommend BlackLight, AVG and Panda anti-rootkit scanners:

http://www.f-secure.com/blacklight/

http://free.grisoft.com/doc/avg-anti-rootkit-free/lng/us/tpl/v5

http://research.pandasoftware.com/blogs/research/archive/2007/04/02/Panda-AntiRootkit-Released.aspx

To check for spyware, run AVG Anti-spyware, a-Squared, Ad-Aware and Spybot Search & Destroy free scanners.

AVG Anti-spyware (requires Win2k/XP):

http://www.ewido.net/en/product/

a-Squared Free:

http://www.emsisoft.com/en/software/free/

Ad-Aware:

http://www.download.com/3000-2144-10045910.html

Spybot Search & Destroy:

http://www.safer-networking.org/en/download/index.html

5

Yes, I did uninstall AntiVir to install avast. The files in the other folder (not the System Volume Information) were on my second harddisk in the Folder Windows\System. It’s a bit complicated - this second harddisk is from my old pc (where I used AntiVir) which I put into my new one to copy those files onto my “main” harddisk I use now. It’s possible that I forgot uninstalling AntiVir completely from this disk…

Those files in the System Volume Information are called:
A0047114.exe
A0047115.exe
A0047116.exe
A0047117.dll
and their correspondances (same order as above) are:
NDNuninstall5_48.exe (Folder: C:\WINDOWS)
NDNuninstall5_64.exe (Folder: C:\WINDOWS}
Amcis2.dll (Folder: E:\WINDOWS\SYSTEM)
msipcsv.exe (Folder: E:\WINDOWS\SYSTEM)

Oh dear… the longer I think the more I fear having done only wrong things… :-\

Anyway, I will do as you suggested.

6

If you disable it, boot, enable again, these files will be deleted and that folder cleaned.

7

Sorry, I forgot to tell that those files I mentioned were already in the Virus Chest of avast!
Anyway, I did disable SVI and scheduled a boot time scan. This time, avast! found again several viruses on my second hard drive which I don’t use at all (the only reason I didn’t put it into the wastebin so far is that I didn’t find the time), and one on my main hard drive.
One is called Win32:Adware-gen, the other three are called Win32:Spyware-gen.
Does this mean, my computer is not infected by them yet but would have been infected if I had started those files in some way?
Or is everything lost now?

However, I downloaded and performed those programs Freewheelin Frank told me, but there are new versions on the internet so that I updated them and will perform them again now.

So far, the anti-rootkit programs told me there were no rootkits no my computer; the spyware-programs gave me several alerts, most of them TrackingCookies, but one Trojan and some Adware was found as well.
After having performed the not-updated versions, I ran HijackThis again just for checking this spyware “PromulGate”-thing, and it was not running anymore.

I will run the programs again and afterwards tell you what’s going on here. If you come to the conclusion that it would be better deleting and formatting everything and starting anew, tell me soon so that I can prepare myself… :frowning:

8

Right click them, scan them, if they’re still infected, you can delete them. Anyway, there is not a rush to delete files from Chest, they’re safe there, can’t harm your computer.

Most probably…

Did you run avast at boot time?

It will be good.

I see no reason for such a radical attitude…

9

:slight_smile: Hi Einoel :

 I am concerned you may NOT have COMPLETELY REMOVED
 AntiVir/Avira . AntiVir ( Avira ) Experts recommend the use
of their "Avira Antivir RegistryCleaner" as well as the appropiate

“Uninstallation Package”, both of which can be found at :
www.avira.com/en/support/av7_upgrade_tools.html ; have
you done this ?

The "shortness" of the "Running Processes" in your posted
 HijackThis log indicates you MAY have run it in "Safe Mode" ;
 if you did, the info in the log is almost useless. HijackThis
 Scans give the Best info when run in "Normal" Mode .
10

Hello! After a week of hard work for University, I found the time to care for my PC again today.
So, here are the results of the scans I did last week. For easy reading, I will give a short summary of the scan logs and what I did with the files.

AVG Anti-Rootkit, Panda Anti-Rootkit, Blacklight:
No Rootkits found

AVG Anti-Spyware:
C:\Dokumente und Einstellungen\Jule\Lokale Einstellungen\Temp\BDECache\bde108.tmp/bdeinstallman3.exe → Adware.Altnet E:\WINDOWS\SYSTEM\htmdeng.exe → Adware.Aureate
Einstellungen\Temp\BDECache\bde12F.tmp/bdeviewer.exe → Trojan.Krepper.y

Several times found in different files:
C:\WINDOWS\BDE\mskin\Thumbs.db → Adware.BrilliantDigital HKLM\SOFTWARE\DelFin → Adware.Delfin
HKLM\SOFTWARE\DelFin\PromulGate → Adware.Delfin HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DelFin Media Viewer → Adware.Delfin
HKU.DEFAULT\Software\New.net → Adware.NewDotNet
HKU\S-1-5-18\Software\New.net → Adware.NewDotNet
C:\Dokumente und Einstellungen\Jule\Lokale Einstellungen\Temporary Internet Files\Content.IE5\K1O9INWP\nav[2].htm → Not-A-Virus.Exploit.HTML.Mht :
C:\Dokumente und Einstellungen\Jule\Lokale

All of them: Quarantine

Several Tracking Cookies
All of them: Delete

A-Squared free:
E:\WINDOWS\WELCOME.EXE gefunden: Trojan.Win32.ITIS

Quarantine

Most of the Traces were found several times in different files. For summary, I just give you one example for each trace.
C:\WINDOWS\temp\adware gefunden: Trace.Directory.Claria.CommonComponents
C:\Programme\delfin gefunden: Trace.Directory.DelFinMediaViewer
C:\WINDOWS\temp\adware gefunden: Trace.Directory.Gator
Value: HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run → promulgate gefunden: Trace.Registry.DelFinMediaViewer
Key: HKEY_LOCAL_MACHINE\software\tat gefunden: Trace.Registry.DelFinMediaViewer
Value: HKEY_CURRENT_USER\Software\XTTB00001\Toolbar\tb_items → Widthcombo11 gefunden: Trace.Registry.Eqiso Toolbar
Value: HKEY_LOCAL_MACHINE\software\kazaa\bandwidth\in → b0 gefunden: Trace.Registry.KaZaA
Key: HKEY_LOCAL_MACHINE\software\classes\netscape starting gefunden: Trace.Registry.MidnightOil
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net → Changed gefunden: Trace.Registry.NewDotNet
Value: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\New.net → SlowInfoCache gefunden: Trace.Registry.NewDotNet
C:\Programme\icqtoolbar gefunden: Trace.Directory.ICQToolbar
C:\Programme\icqtoolbar\version.txt gefunden: Trace.File.ICQToolbar
Value: HKEY_CURRENT_USER\Software\XTTB00001\Toolbar → #EditWidthcombo# gefunden: Trace.Registry.ICQToolbar

All of them: Quarantine

Ad-Aware 32 Personal Edition:
ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping “{c95fe080-8f5d-11d2-a20b-00aa003c157a}”
obj[1]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping “{c95fe080-8f5d-11d2-a20b-00aa003c157a}”

WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=RegData : regfile\shell\open\command “”

BRILLIANTDIGITAL
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[7]=Regkey : .s3d
obj[8]=File : C:\WINDOWS\System32\bderastmmx3.dll

All of them: Quarantine

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Several Tracking Cookies, all of them: Delete

Spybot Search & Destroy:
Microsoft.Windows.Security.InternetExplorer: Einstellungen (Registrierungsdatenbank-Änderung, fixed)
HKEY_USERS\S-1-5-21-823518204-1123561945-839522115-1007\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe!=W=1
Alexa Related: Verknüpfung (Datei austauschen, fixed)
C:\WINDOWS\Web\related.htm

All of them: Fixed

Today, I updated the programs again and let them run. Here the results:

AVG Anti-Spyware:
Three Tracking Cookies, all of them: Delete

A-Squared free:
E:\System Volume Information_restore{5EA6301D-1A37-473F-B471-1EA85C8DD66F}\RP1\A0000001.EXE gefunden: Trojan.Win32.ITIS

Quarantine

Ad-Aware 32 Personal Edition:

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Several Tracking Cookies, all of them: Delete

Spybot Search & Destroy:
Nothing found

After getting these results, I was quite happy and thought, well, let’s just do another avast! Boot Time Scan, just for security. I expected nothing to be found – but there it went:
Virus found: Win32:Goldun-IF This time, the file is called:
lr86.exe, and there was something written like [UPX] afterwards.

Again! Why? I don’t get this. Last time I scheduled a boot time scan, avast! found some Adware-/Spyware-Gen (as I already wrote). Is there some file left that’s always generating new Trojans on my PC or was this something avast! didn’t detect last time for some reason, but now it’s finally over?
To ask it directly: Am I secure now or do I have to do anything else? Again some boot time scan after having disabled System Restore, for example?

And another question: Since I installed all those Anti-Spyware Programs on my PC, it’s booting very, very slowly. Do I have to keep all of them or is it okay if I uninstall several of them? Which one should I keep?

By the way, I ran HiJackThis again. The log is below.

@Spiritsongs:
No, I didn’t run it in safe mode (that is, if you mean the safe mode you can start when pressing F8 while the PC is booting), but I didn’t have SP2 installed back then. After having installed it, there are many more running processes in the log, as you can see… is this normal? Is this why my PC is booting so slowly? And can I change this somehow?!

11

Here the latest HijackThis-Log:
Logfile of HijackThis v1.99.1
Scan saved at 12:07:47, on 22.04.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Programme\Ahead\InCD\InCD.exe
C:\Programme\Scroll Mouse\4DMAIN.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\HP\HP Software Update\HPWuSchd2.exe
C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
C:\Programme\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Programme\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Dokumente und Einstellungen\Admin\Eigene Dateien\HJT\HijackThis.exe

O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\toolbaru.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programme\google\googletoolbar1.dll
O3 - Toolbar: GMX Toolbar - {2D1DDD38-CE4D-459b-A01C-F11BC92D5B69} - C:\Programme\GMX\GMX Toolbar\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programme\google\googletoolbar1.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM..\Run: [QuickTime Task] “C:\Programme\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [InCD] C:\Programme\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [WheelMouse] C:\Programme\Scroll Mouse\4DMAIN.EXE
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HP Software Update] C:\Programme\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [ICQ Lite] “C:\Programme\ICQLite\ICQLite.exe” -minimize
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Programme\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [swg] C:\Programme\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programme\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra ‘Tools’ menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Programme\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Programme\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Programme\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programme\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

12

I’m not an expert on HJT but seems you don’t use a firewall. Why?
Also seems you have a questionable toolbar installed…

13

Tech is pointing at this:
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\Programme\ICQToolbar\toolbaru.dll (file missing)

Kind of Unnecessary (deactivated) entry that can be fixed. toolbaru.dll - ICQ Toolbar,

you can tag that an clean it out, furthermore there are no critical things as such,

polonus

14

Well, I do have a firewall installed - the Windows-XP-Firewall. Should I use another one? Which one would you suggest?

The thing with the ICQ toolbar - I think this is because A-Squared took the ICQ toolbar as some “critical object”. I thought “Well, better some false positives deleted that can be downloaded again if necessary than having some malware not detected” and let A-Squared quarantine the files about ICQ toolbar it found. But since I don’t use it at all, I will fix it in HJT as Polonus suggested.

However, what about avast! finding again this Win32:Goldun-IF in my second boot time scan? And what about the malware the Spyware-Scanners found? Is it okay just to quarantine (and delete, if necessary) them or do I have to do something else with them?
(…see my posting before the HJT log, where I wrote down the logs of the several scanners I used)

15

Hi Einoel,

Ok , you did the right thing there. Now about the malware Win32.Goldun-IF. When it is in quarantine, it cannot harm you anymore, but just have a look at your registry, if it really has left your computer.
Windows NT/2000/XP/2003

In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.

At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.

Before you edit the registry, you should make a backup. On the ‘Registry’ menu, click ‘Export Registry File’. In the ‘Export range’ panel, click ‘All’, then save your registry as Backup.

Locate the HKEY_LOCAL_MACHINE entry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shell
wmedia32.exe

and delete it if it exists.

Close the registry editor.

polonus

16

Ok, I will do so.

Another question came into my mind:
FreewheelinFrank told me that I had this spyware “Promulgate/pgmonitr.exe” on my PC (it was found in HJT). The Spyware-Scanners (I think it was AVG and A-Squared) found these as well and I told them to quarantine the files related to this program.
Since it was obviously found in my registry by HJT, does it mean it was active? If so, what consequences does this have to me? Besides changing all passwords? Is it possible for anybody going around on my PC now, or was it possible, but is not anymore?
As you can see, I’m quite new to this, to be honest, I was very shocked finding out I have some malware on my PC since I’m pretty sure I never downloaded anything that was unknown to me… but somehow it seems I have done some stupid things in my past…
However, I hope my PC will be secure again soon…

17

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

  • Zone Alarm free http://www.zonelabs.com works fine with avast (however it is now becoming very bloated with trial software and some are experiencing issues with it) and has a reasonably friendly user interface.

There are others, Comodo gets very favourable comments in the forums.

See some firewall tests for comparison, some are freeware but many are paid for versions http://www.firewallleaktester.com/tests.php. Also see http://www.thefreecountry.com/security/firewalls.shtml