41

I already fixed the lines in Hjt and rebooted. trzC.tmp is in the virus chest, I put it in there when I found out it was a virus. I’ll check the AVG log in a minute

42

all my AVG report says is

AVG Anti-Spyware - Scan Report

  • Created at: 11:40:23 AM 4/14/2007

  • Scan result:

::Report end ??? ??? Should I scan do a full system scan again?

43

First take a quick look for wvvtsr.dll and opmkjh.dll and let me know if thy’re found. If you do find them scan them at Virus Total.

Yes, I think an AVGAS scan makes sense. As before, quarantine anything found.

Follow this with one (last?) hijackthis log.

44

Ok, I still can’t find the 2 files. I’ll start the full system scan. I’ll reply when its done. It might be a while

45

Ok, the AVGAS scan is done, quarantined all of them. Heres the Hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 7:59:24 AM, on 4/15/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Comodo\Firewall\cpf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-UNO1/GAME_UNO1.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab55579.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ieupdater2 (Microsoft IEUpdater2) - Unknown owner - C:\ie_updater.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\System32\PnkBstrB.exe

46

Can you post the AVG log while I look at hjt?

47

yea sure here it is

AVG Anti-Spyware - Scan Report

  • Created at: 7:58:14 AM 4/15/2007

  • Scan result:

C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000019.exe → Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0001014.dll → Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002069.dll → Adware.BHO : Cleaned with backup (quarantined).
C:\Program Files\Alwil Software\Avast4\DATA\moved\tmp2.tmp.vir → Backdoor.Apex : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002061.exe → Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0003049.exe → Downloader.Agent.es : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0003040.dll → Downloader.ConHook.an : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[2] → Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[3] → Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\windm[4] → Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\windm[2] → Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\mine\Desktop\SDFix\backups\xpupdate.exe → Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0001045.exe → Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[1] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[2] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\packed_installer_cna[3] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[1] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[2] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\packed_installer_cna[3] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[1] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[2] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[3] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[4] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\packed_installer_cna[5] → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000021.exe → Proxy.Wopla.ag : Cleaned with backup (quarantined).
C:\Documents and Settings\mine\Desktop\SDFix\backups\partnership.dll → Proxy.Xorpix.bc : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Atdmt : Cleaned.
:mozilla.31:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Com : Cleaned.
:mozilla.41:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Doubleclick : Cleaned.
:mozilla.68:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Mediaplex : Cleaned.
:mozilla.54:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Netflame : Cleaned.
:mozilla.53:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Pointroll : Cleaned.
:mozilla.34:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Revsci : Cleaned.
:mozilla.36:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Revsci : Cleaned.
:mozilla.37:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Revsci : Cleaned.
:mozilla.38:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Revsci : Cleaned.
:mozilla.33:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Tribalfusion : Cleaned.
:mozilla.74:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\mine\Cookies\mine@tribalfusion[2].txt → TrackingCookie.Tribalfusion : Cleaned.
:mozilla.35:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Yieldmanager : Cleaned.
:mozilla.39:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Yieldmanager : Cleaned.
:mozilla.40:C:\Documents and Settings\mine\Application Data\Mozilla\Firefox\Profiles\833v7eaw.default\cookies.txt → TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[1] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[2] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[3] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[4] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWLSZC\google[5] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[1] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[2] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XJ2LPQU4\google[3] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[1] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[2] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Y501N6YN\google[3] → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000016.exe → Trojan.Agent.aiw : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0000018.exe → Trojan.Agent.bou : Cleaned with backup (quarantined).
C:\System Volume Information_restore{EABF4578-546C-4D1E-BA23-7016DFA29785}\RP2\A0002068.dll → Trojan.Vqten : Cleaned with backup (quarantined).

::Report end

48

Click Start > Run

In the empty filed type cmd and click OK

At the command prompt type

sc delete Microsoft IEUpdater2

and hit enter.

When you ran AVG the first time did you qurantine everything? Are all these in your AVG log new items now?

49

When I do the cmd and type it it says " The specified service does not exist as an installed service"

I qaurantined everything but what do you mean are they new items now?

50

At the end of the first AVG scan there should have been an option to set Quarantine as the option to apply and a button to Apply All Actions. If you did that on the first scan then all of the items you just posted on the subsequent scan are new and there is still a problem.

But looking at this logically I think you didn’t quarantine the first time. This is the only way I can make sense of the empty log from the first scan and the fact that System Restore files are being tagged in the second scan.

But, do you remember either way? I would like to confirm my hypothesis if possible.

51

Yea I think I forgot to click apply all actions because I thought they were all quarantined. I might have just x’ed out of it.

52

I’m gonna go for a while, i’ll be back on in a half hour or so. So I’ll reply back then

53

I think that’s probably it.

I asked you to run CleanUp earlier in this process but maybe that got missed too. Go ahead and run it now to clean up any remaining temporary internet files (close your browser first). When it asks about logging out you don’t need to do that immediately.

Your computer should be running a bit faster now that it’s clean.

Since it is clean let’s create a new system restore point and get rid of the old ones.

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialog box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

To get rid of the old ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialog box with TABS
  5. Select the More Options Tab.
  6. At the bottom will be a system restore box with a CLEANUP button click this
  7. Accept the Warning and select OK again, the program will close

The files you moved to the user section of the avast! chest should be emailed to Alwil by highlighting them and clicking the email icon. After successfully sending them they should be deleted.

SDFix and the backups can also be deleted now (there’s no need to keep the program. It’s updated very often so if you ever needed it again you would want to download a fresh copy).

Keep AVG AntiSpyware even after the trial period ends. Its good to scan with it from time to time (I scan weekly). You can augment this with Super AntiSpyware if you like - its also free

http://www.superantispyware.com/

You should also download Spyware Blaster. Install it, update, and “enable all protection”. Do this now, while your computer is clean

http://www.javacoolsoftware.com/spywareblaster.html

The free version needs to be manually updated about once a month.

And, without wanting to sound like your mom, I would have to say there are safer surfing habits than you’ve been exercising lately :stuck_out_tongue: For sure set your Web Shield to high - its not going to slow you down noticeably. But also think about the sites you visit - before you get there.

And don’t forget to get SP2.

Finally, DavidR posted some information about Drop My Rights in your other thread. That advice is well worth following.

EDIT: Please take a quick look for C:\WINDOWS\system32\clcl3.exe. I just want to confirm that it’s been deleted.

54

Ok, I will tommorow though, because I don’t have enough time tonight. I’ll reply to you tommorow and tell you how everything went.

55

Ok - see you later.

56

It says for the Cleanup “Do you want to delete everything that isn’t recent?” wouldn’t that wipe out some of my programs that I use but don’t use them often?

57

I don’t remember ever seeing that statement with CleanUp. Here’s how mine is set


http://img180.imageshack.us/img180/1796/cleanupua3.png

Instead of CleanUp you could use ATF Cleaner

http://www.atribune.org/content/view/19/2/

On the main ATF Cleaner page check everything except Prefetch and click Empty Selected. Since you use Firefox make sure you click that tab too and check everything except Saved Form Info and Saved Passwords. Then click Empty Selected again.

58

From which application does this error message belong?

59

Hi Steven6767,

Forward the infected file(s) to Avast please (info on their Website), before cleaning it out.
Information on this malware can be found here:
http://411-spyware.com/remove-trojan-downloader-small-2

polonus

60

Hi Mauserme,

You perform this cleansing routine here. Nothing wrong with this. But you saw that Avast missed the malware file definition. Why you stated that it was not to be mailed by the victim further up in this thread?
Avst should have detection for this as well, isn’t it? Or what were your considerations?

polonus