system
April 1, 2005, 1:43am
1
I have multiple files that have this virus on my computer. When I open up/restart my computer, the On-Access scanner finds about 2-10 of this virus. I’ve tried putting them in the chest, and deleting them, but they keep coming back.
A Hijackthis! log file is attached…I couldn’t fit it all…in the post itsaid 10,000 max characters.
Thanks. Does anybody how to fix this virus? I’ve searched around in the forums, found a few topics, but none that helped ME. Thanks!
Generally, recurring virus could be deleted by:
Empting all temporary files (Internet cache)
Disable System Restore
Boot time scanning
Enable System Restore
Do you need more help?
system
April 1, 2005, 4:21am
3
Yes.
I’ve tried all of those.
Thank you.
system
April 2, 2005, 4:53pm
4
Same problem here, Help!
Robert
system
April 2, 2005, 5:54pm
5
Hi Robert,
we need more info to help you;
please work through the link “VirusRemoval” below in my sig, and then come back with more info, e.g.
location of virus &
a hijackthis-Log, and
windows- & avast version &
what you’ve tried so far…
DavidR
April 2, 2005, 6:36pm
6
This is an on-line analysis of your log file - http://hijackthis.de/logfiles/ae074b7092d5c95025769bf976c1936d.html this should hopefully get you started. You may then be able to post the contents after fixing the harmful ones and checking the unknown (use google) ones.
There are lots of nasties in the analysis and it also doesn’t see a software firewall. Ignore any reference to any avast entries, this is a bug in the latest HJT 1.99.1.
Also see the link whocares referred to in his signature
system
April 3, 2005, 8:18am
7
Hi Robert,
we need more info to help you;
please work through the link “VirusRemoval” below in my sig, and then come back with more info, e.g.
location of virus &
a hijackthis-Log, and
windows- & avast version &
what you’ve tried so far…
.
malware name: Win32:IstDnldr-U(trj) in C:\DOCUME~1\GEBRUI~1\LOCALS~1\Temp|K2cam7.exe
They keep coming back in different names like:BZZrEX.exe, FG9dYA.exe, gshte4.exe etc after deleting or moving to the chest. I have windoiws XP and avast 4.6 home edition. I have done all the steps you have described with no succes and I have tried many different programs…
Here is my hijack log file:
Logfile of HijackThis v1.99.1
Scan saved at 10:16:00 AM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\System32\PDesk\PDesk.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = \SOFTWARE\Microsoft\Internet Explorer\Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [O3KpDYT1] C:\WINDOWS\jdnhvv.exe
O4 - Startup: EarthView.lnk = C:\Program Files\EarthView\EarthView.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - User Startup: EarthView.lnk = C:\Program Files\EarthView\EarthView.exe
O4 - User Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: UltraMon.lnk = C:\Program Files\UltraMon\UltraMon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra ‘Tools’ menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {1DA3C4AB-E6B6-47A6-B0F3-1BD81524B51B} (ActiveWorldsDownload Control) - http://www.activeworlds.com/products/ActiveWorldsDownload.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {56E4B9EB-4C79-4568-A19E-72794FA70060} (PatsShellOCX Control) - http://193.178.217.26/Jtrader%20new/SunJVMPatsFiles/pats.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://nl.encarta.msn.com/encnet/external/MSSurVid.cab
O16 - DPF: {CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_04) -
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
Regards, Robert
system
April 3, 2005, 9:33am
8
I don’t understand if the trojan now appear in Temp folder or not after your cleaning. If yes, you can shred it and restart with all the steps you described first. Then try this… maybe you’ll have some results: go to http://www.avast.com/eng/avast_cleaner.html , download the removal tool, again do all the steps you have described first and run the tool at reboot.
sorry: my english is poor but i hope you understand :
system
April 3, 2005, 9:47am
9
Note: I know that is a dangerous step “shred” totally a file because there’s the danger of damage some software. Do it ONLY if you are sure of your action!!!
Another thing I want say: my recent experience learn to me how the online check by HijackThis maybe is inaccurate: nothing is better then an expert eye like the eyes of many experienced members of this Forum… and I’m not one of them
system
April 3, 2005, 9:52am
10
Just managed to solve the problem by running a program called a-squared. It managed to get rid of the trojan!
Robert
system
April 3, 2005, 4:18pm
12
Thank you! Um, give me some time to try all this stuff.
Thanks again!
system
April 3, 2005, 5:58pm
13
O.
…I managed to download this program after you posted, and I scanned my computer, and It got rid of the trojan too! Thanks so much!
Also, I tried Avast Cleaner and an online one, but none of them worked.
I also tried deleting stuff from here:
http://hijackthis.de/logfiles/ae074b7092d5c95025769bf976c1936d.html
, but I couldn’t find any of the nasty files!(except 1)
But, anyways, thanks guys for all your help.
system
April 5, 2005, 6:42pm
14
Also probs with win32:istdnldr-u
Hijack v.1.98.1 Log:
Logfile of HijackThis v1.98.1
Scan saved at 20:36:19, on 05.04.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programme\Sony\vaio media music server\SSSvr.exe
C:\Programme\sony\photo server 20\appsrv\PicAppSrv.exe
C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\SV_Httpd.exe
C:\Programme\Gemeinsame Dateien\sony shared\vaio media platform\UPnPFramework.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ntvdm.exe
C:\T-ONLINE\BSW4\ToDuCAlC.EXE
C:\Programme\Internet Explorer\iexplore.exe
D:\Anwendungen\hjt\HijackThis.exe
c:\Program Files\interMute\SpySubtract\SpySub.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.de/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.de/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online.de/service/redir/tosw4_start.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programme\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM..\Run: [StorageGuard] “C:\Programme\VERITAS Software\Update Manager\sgtray.exe” /r
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [sais] c:\programme\180solutions\sais.exe
O4 - HKLM..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM..\Run: [yjsxctal] C:\WINDOWS\yjsxctal.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Programme\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [WashAndGo - Cleanup of old Backupfiles] D:\Programme\Purgatio Pro\checker.exe /check
O4 - HKCU..\Run: [monitor] monitor.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programme\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.club-vaio.sony-europe.com/
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {5D8844F9-1CB8-11D2-A0A0-00600859EB9F} (PatchCtl Class) - ftp://ftp.pt.ea.com/QA/pub/easports/patches/fifa2004/pc/DE/patchx2.cab
O17 - HKLM\System\CCS\Services\Tcpip..{E5D6800D-3AA5-44DD-BD5C-79E3BD8FD90D}: NameServer = 217.237.150.97 217.237.149.161
Adaware: no success
Search&Destroy: no success
avast: no success
system
April 5, 2005, 7:05pm
15
Did you rum a-squared…it solved my problem?
Robert
DavidR
April 5, 2005, 7:16pm
16
you aren’t using the latest version of hijackthis.
In the meantime fix these:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.t-online.de/service/redir/tosw4_start.htm (unless this is something you did intentionally)
O4 - HKLM..\Run: [sais] c:\programme\180solutions\sais.exe
O4 - HKLM..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM..\Run: [yjsxctal] C:\WINDOWS\yjsxctal.exe
O17 - HKLM\System\CCS\Services\Tcpip..{E5D6800D-3AA5-44DD-BD5C-79E3BD8FD90D}: NameServer = 217.237.150.97 217.237.149.161 (unless this is something you did intentionally or know about, like your ISP’s IP range, etc.)
This is not required at start-up
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
once you have updated and run a HJT scan - For an on-line scan of your Hijackthis log file try here http://hijackthis.de/index.php