Virus/trojan keeps re-appearing

Avast on-access protection detected some malware and suggested I move them to the chest. I followed the advice and then ran the scanner again. As it starts, it detected more malware (forgot if it was the same malware) in memory and I tried to move it to chest again. This time it returned that the file could not be found. Delete, rename/move also did not work. I then had no other options but passed any action.

As it was found in memory, avast asked me to restart the computer and run a boot-time scan. During the boot-time scan, more viruses/malware were found and I deleted them all. After the scan completes, I logged on to winXP and the computer restarts itself in something like 5-10 seconds. I then rebooted in safe mode. This time the winxp did not restart and I ran avast scanner again. A trojan was detected again in memory. I followed the path and noted that it was called mywow.dll file. If i select move to chest, avast would prompt “Virus chest server is not running… cannot process mywow.dll”. If I select delete, no message is shown but the file stays.

I have tried several boot time scan, and every time the scan detects malware in a folder called “system restore”. Another thing is that mywow.dll does not appear in the boot-time scan as it seems to be created every restart.

Please help!!

I logged on to winXP and the computer restarts itself in something like 5-10 seconds.
This indicates you have something like blaster or sasser. You can only get this if you haven't got your system up-to-date with the latest patches/updates.

I suggest you follow the instructions on my website
Click on the flag to select your prefered language.

If a virus is replicant (coming and coming again), you should:

  1. Disable System Restore on Windows XP: http://support.microsoft.com/default.aspx?scid=kb;[LN];310405
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast. Start avast! > Right click the skin > Schedule a boot-time scanning. Select for scanning archives. Boot.
  4. Use a-squared, ewido or Spyware Terminator (trojan removers).

Thanks for your help. Unfortunately the problem has not gone away. After I disabled system restore and removed all the temp files using ccleaner and drive cleaner, I scheduled a boot-time scan. No virus was detected during the scan but once I logged on to my account, the on-access protection of avast displayed the image that a virus was found in the temp folder (c:\document and settings[user]\local settings\temp\wino.sys) and the virus was win32.nsanti [Trj]. The computer than automatically reboots.

Does this indicate that the virus is hidden and it does not replicate or create the malicious code until the boot-time scan is finished??

Additional information:
It can now be confirmed that there are two “infected” files. First is the one mentioned above and the other is in c:\windows\system32\mywow.dll and the virus displayed by avast is win32.downloader-BF [trj]. The second file could not be deleted as it appears to be used by some other application. Both of these files are created during the startup process.

hi hhichijo,

Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu.).

Delete the Trojan file:

%System%\wintems.exe

Delete the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
“german.exe”=“%System%\wintems.exe”

[HKCU\Software\DateTime4]
Uid=“”
Port=“”
wdrn=“”

Update your antivirus databases and perform a full scan of the computer.

polonus

It is more likely to indicate that there are other parts to this infection that restore them, Try running Ewido from safe mode it may be able to find the other element restoring the files. If these files are being downloaded again as the ‘win32.downloader-BF’ would indicate then your firewall isn’t preventing it from connecting to the internet to do its dirty deeds. What is your firewall ?

For the future help to prevent files being placed in the system folders. Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.

Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.

Hi DavidR,

I tried ewido and it returns a clean result. The computer infected is actually not connected to any network (with the cable unplugged) so the problem should be regenerating itself internally. It just seems that I could not find the “source” of the virus as the infected files scanned by avast in safe mode are created during the restart startup, according to the creation times.

Did you run Ewido from safe mode as it is supposed to be more effective.

Have you visited Eddy’s site ?
He also has a hijackthis analysis tool which may help determining if there is anything harmful running in a hijackthis log file.

Also useful as a diagnostic tool - Download HiJackThis.zip - HJT Information HiJackThis Tutorial 1 or HiJackThis Tutorial 2 or HiJackThis Tutorial 3
For an on-line analysis - HiJackThis Log file - On-line Analysis OR post the contents of the log file here.
Ignore any 023 reference to avast processes, this is a hiccup in the HJT 1.99.1 (especially missing file entry for avast), if you need any help with any of the analysis let us know.

Thanks, I will try Eddy’s hijackthis log analyzer. Ewido was run in safe mode as it is the only way I could log in to my computer. Normal mode (i.e. “non-safe” mode) would just caused the computer to reboot.

You can use my log analyzer, or post the HJT log here and I will have a look at it.

Shall I post the normal scan log or the startuplist??

Please post the entire log from HJT

This is the log from a scan I ran yesterday. I suspected the file “launcher.exe” (highlighted in red) is causing the problem and I took the decision to move it out of the system32 folder and changed the registry key entry. After I took this step, no more virus was detected by avast and the previous infected files (mywow.dll and wino.sys) which were repeated created no longer appears. The “automatic” reboot in non-safe mode however still continues.

Does this means that the virus has already done damage to one (or more) of my files and the reboot was actually caused by the damaged file??

Logfile of HijackThis v1.99.1
Scan saved at 2:26:48, on 14/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\jlau\®à­±\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\Launcher.exe,userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: ¦¬­µ¾÷(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [NVMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [!ewido] “C:\Program Files\ewido anti-spyware 4.0\ewido.exe” /minimized
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [H/PC Connection Agent] “C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE”
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [NBJ] “C:\Program Files\Ahead\Nero BackItUp\NBJ.exe”
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: ¶Ç°e¨ì Bluetooth(&B) - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra ‘Tools’ menuitem: Create Mobile Favorite… - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra ‘Tools’ menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whlnsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O10 - Unknown file in Winsock LSP: c:\progra~1\whalec~1\client~1\31265d~1.0\whllsp.dll
O16 - DPF: HKJC Applet - https://bet.hongkongjockeyclub.com/ib/ch/HKJC.cab
O16 - DPF: {003FACAF-40CB-4358-96D2-B0D8CEF4DBF5} (SKeyHelper Class) - https://bet.hongkongjockeyclub.com/ib/SKey/ch/cab/EWinSKey.CAB
O16 - DPF: {3AC7F64E-6154-47B0-82B5-764ED4077F77} (DataStorage Class) - http://txn.hkjc.com/BetSlip/object/HKJCSecKey.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by110fd.bay110.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56A7DC70-E102-4408-A34A-AE06FEF01586} (ÌìÏÂËÑË÷) - http://iebar.t2t2.com/iebar.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - https://www.virtualpc.aspac.kpmg.com/WhaleComAE2E946E881A290F57BB0DE712516039F29160C7A26FE01C8BB47D637A92D37BC8335E/WhaleCom1/msrdp.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://www.virtualpc.aspac.kpmg.com/InternalSite/WhlCompMgr.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe

I extracted the most important parts of the analyzing result.

General data

You are using the latest version of HijackThis.
Old version of Internet Explorer detected. Update required.
Your Operating System is not up-to-date. Update required.
Your OS seems to be up to date.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.


This shows that you have NOT done as stated on my website. :-
You really need to keep your system up-to-date with the latest patches/updates.
And if you don’t have a hardware firewall, get at least a software firewall.

U o4 - hklm\..\run: [ituneshelper] "c:\program files\itunes\ituneshelper.exe" Part of Itune software

U o4 - hkcu..\run: [msnmsgr] “c:\program files\msn messenger\msnmsgr.exe” /background
Loads MSN messenger in the background when Windows starts

U o4 - hkcu..\run: [nbj] “c:\program files\ahead\nero backitup\nbj.exe”
Loads Nero backup scheduler when Windows starts

U o8 - extra context menu item: &translate english word - res://c:\program files\google\googletoolbar2.dll/cmwordtrans.html
Google’s translation option

U o8 - extra context menu item: translate page into english - res://c:\program files\google\googletoolbar2.dll/cmtrans.html
Googles translation button


These are not needed for a system to work. If you leave them as it is or not is the users (your) choice.

X o9 - extra button: related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm

X o9 - extra ‘tools’ menuitem: show &related links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm


These two definatly need be fixexed/removed.

X o16 - dpf: hkjc applet - https://bet.hongkongjockeyclub.com/ib/ch/hkjc.cab

X o16 - dpf: {003facaf-40cb-4358-96d2-b0d8cef4dbf5} (skeyhelper class) - https://bet.hongkongjockeyclub.com/ib/skey/ch/cab/ewinskey.cab

X o16 - dpf: {3ac7f64e-6154-47b0-82b5-764ed4077f77} (datastorage class) - http://txn.hkjc.com/betslip/object/hkjcseckey.cab

X o16 - dpf: {4f1e5b1a-2a80-42ca-8532-2d05cb959537} (msn photo upload tool) - http://by110fd.bay110.hotmail.msn.com/resources/msnpupld.cab

X o16 - dpf: {56a7dc70-e102-4408-a34a-ae06fef01586} (ÌìÏÂËÑË÷) - http://iebar.t2t2.com/iebar.cab

X o16 - dpf: {7584c670-2274-4efb-b00b-d6aaba6d3850} (microsoft rdp client control (redist)) - https://www.virtualpc.aspac.kpmg.com/whalecomae2e946e881a290f57bb0de712516039f29160c7a26fe01c8bb47d637a92d37bc8335e/whalecom1/msrdp.cab

X o16 - dpf: {8d9563a9-8d5f-459b-87f2-ba842255cb9a} (whale client components) - https://www.virtualpc.aspac.kpmg.com/internalsite/whlcompmgr.cab


DPF = Downloaded Program File
These show a little history of what you have downloaded.
Although not harmfull, I always say “fix them”
These are stored in the registry.
Fixem them will cleanup the registry a bit.

Conclusion:
No real harmfull stuff is found, but you have to be more carefull with your system if you want to prevent future infection(s)

I do understand that I need to keep the software up to date but since I could not get online in this state, there is little I could do. With regard to firewall, I normally use the one built in with windows so no firewall was running during the scan. Is it completely useless?? If so, which software firewall would you recommend??

Do you think that the virus might have gone (or “quanrantined” manually by me) but damage had already been done to my the files during login, given my description in the previous post??

I would say get Sunbelt Kerio Personal Firewall.
It is a trial, but after 30 days it will run as the free version.
Disable the Window Firewall.

Thanks Eddy. I will try Sunbelt after I solve my rebooting problem.

I tried disabling the automatic reboot function in windows and all I got was a blackscreen (no signal from display card and the monitor switched to standby mode) when the problem kicks in. There was not even a BSOD.

Now that it seems the trojan/virus is contained and the rebooting function is due to some damaged files, do you have any idea where could I get further help for my automatic rebooting problem?

Please check the windows\minidump folder.
Windows may have created a minidump there.
If there is one, look at the date/time of creation.
If it is about the same date/time the black screen was, I would like to have a look at it.

This is the minidump created at the time of the reboot. I hope I have extracted the information correctly.

----- 32 bit Kernel Mini Dump Analysis

DUMP_HEADER32:
MajorVersion 0000000f
MinorVersion 00000a28
DirectoryTableBase 183a5000
PfnDataBase 81053000
PsLoadedModuleList 8054ce30
PsActiveProcessHead 8054ee78
MachineImageType 0000014c
NumberProcessors 00000001
BugCheckCode 1000008e
BugCheckParameter1 80000004
BugCheckParameter2 804dd47c
BugCheckParameter3 b93b37c0
BugCheckParameter4 00000000
PaeEnabled 00000000
KdDebuggerDataBlock 8053ede0
MiniDumpFields 00000dff

TRIAGE_DUMP32:
ServicePackBuild 00000100
SizeOfDump 00010000
ValidOffset 0000fffc
ContextOffset 00000320
ExceptionOffset 000007d0
MmOffset 00001068
UnloadedDriversOffset 000010a0
PrcbOffset 00001878
ProcessOffset 000024c8
ThreadOffset 00002720
CallStackOffset 00002978
SizeOfCallStack 000007cc
DriverListOffset 000033d8
DriverCount 00000076
StringPoolOffset 000056e0
StringPoolSize 00001018
BrokenDriverOffset 00000000
TriageOptions 00000041
TopOfStack b93b3834
DebuggerDataOffset 00003148
DebuggerDataSize 00000290
DataBlocksOffset 000066f8
DataBlocksCount 00000006

Windows XP Kernel Version 2600 (Service Pack 1) UP Free x86 compatible
Kernel base = 0x804d5000 PsLoadedModuleList = 0x8054ce30
Debug session time: Tue Aug 15 22:46:00 2006
System Uptime: 0 days 0:01:03
start end module name
804d5000 806c7900 nt Checksum: 001F3D75 Timestamp: Thu Aug 29 17:03:24 2002 (3D6DE35C)

Unloaded modules:
f7e7a000 f7e7b000 drmkaud.sys Timestamp: unavailable (00000000)
b9689000 b9696000 DMusic.sys Timestamp: unavailable (00000000)
b9636000 b9659000 aec.sys Timestamp: unavailable (00000000)
b96c9000 b96d7000 swmidi.sys Timestamp: unavailable (00000000)
f7def000 f7df1000 splitter.sys Timestamp: unavailable (00000000)
f7bcf000 f7bd7000 processr.sys Timestamp: unavailable (00000000)
f7acf000 f7ad4000 Cdaudio.SYS Timestamp: unavailable (00000000)
f7ccb000 f7cce000 Sfloppy.SYS Timestamp: unavailable (00000000)

Finished dump check

I will send you a email address in a private message.
Please send the minidump file as attachment to me so I can analyse it.
I will tell the findings after analyzing here.