Win32:Trojan-gen

Viruses and worms
1

Hi, I was wondering if someone could help.
I’m not all that great with computers so you’ll have to be gentle with me!! Everytime I start my computer I keep getting the warning sign come up saying:
Virus name: Win32:trojan-gen. {UPX!}
File name: C:\DOCUME~1\Owner\LOCALS~1\Temp\g0q5DA.exe

I keep deleting or moving it to the chest but it still keeps coming up. I’ve scanned the whole computer and if found about 20 files like this, which i moved, but still keeps saying the files are infected. Any ideas?

Cheers
Hannah

2

Welcome hannah123,

Please post a hijackthis log here for analysis, You can get hijackthis from HERE, we can advise you from there.

–lee

3

Click on the link in my signature and follow the instructions in the malware removal section.

4

  1. Clear your browser cache (Temporary Internet Files) and any temporary files.

  2. What is your OS?

5

this is what it said:

Logfile of HijackThis v1.99.1
Scan saved at 19:46:06, on 16/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wrauclt.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system\lsvchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.couldnotfind.com/search_page.html?&account_id=1000834
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.couldnotfind.com/search_page.html?&account_id=1000834
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=1000834
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll (file missing)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O2 - BHO: NavHelper Class - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-gb\msntb.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Zone Alarm] vsmon.exe
O4 - HKLM..\Run: [.mscdsr] C:\WINDOWS\system\lsvchost.exe
O4 - HKLM..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM..\Run: [WebRebates0] “C:\Program Files\Web_Rebates\WebRebates0.exe”
O4 - HKLM..\Run: [Windows AdTools] C:\Program Files\Windows AdTools\WinAdTools.exe
O4 - HKLM..\Run: [*windows update] wrauclt.exe
O4 - HKLM..\Run: [Windows AdControl] C:\Program Files\Windows AdControl\WinAdCtl.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [msnappau] “C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM..\Run: [2Mc8cR] C:\WINDOWS\rrtnb.exe
O4 - HKLM..\Run: [Internet Optimizer] “C:\Program Files\Internet Optimizer\optimize.exe”
O4 - HKLM..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM..\RunServices: [*windows update] wrauclt.exe
O4 - HKCU..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU..\Run: [*windows update] wrauclt.exe
O4 - Startup: eTomi Pro On Startup.lnk = C:\Program Files\eTomiPro\Gui\etomipro.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)

I’ve already cleared my temporary internet files and I’m not sure what my OS is! Sorry!!!

6

Your OS (operating system) is.

Platform: Windows XP SP2 (WinNT 5.01.2600)

You can use Eddy’s HJT log file analyser in his website or an on-line one for your Hijackthis log file try here http://hijackthis.de/index.php

Extract - using Eddy’s HJT analyser.
CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

You are using a old version of Hijackthis, please update.
You are using the latest version of Internet Explorer.
Software firewall detected.

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK WE STRONGLY RECOMMEND TO FIX THEM :

\program files\msn apps\updater\01.02.3000.1001\en-gb\msnappau.exe
\program files\internet optimizer\optimize.exe
r1 - hkcu\software\microsoft\internet explorer\search
r1 - hkcu\software\microsoft\windows\currentversion\internet settings
proxyoverride = 127.0.0.1
o2 - bho: search relevancy - {1d7e3b41-23ce-469b-be1b-a64b877923e1} - c:\progra~1\search~1\search~1.dll (file missing)
o2 - bho: (no name) - {83de62e0-5805-11d8-9b25-00e04c60faf2} - c:\windows\2_0_1browserhelper2.dll (file missing)
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o4 - hklm..\run: [bullseye network] c:\program files\bullseye network\bin\bargains.exe
o4 - hklm..\run: [webrebates0] “c:\program files\web_rebates\webrebates0.exe”
o4 - hklm..\run: [windows adcontrol] c:\program files\windows adcontrol\winadctl.exe
o4 - hklm..\run: [msnappau] “c:\program files\msn apps\updater\01.02.3000.1001\en-gb\msnappau.exe”
o4 - hklm..\run: [ist service] c:\program files\istsvc\istsvc.exe
o8 - extra context menu item: web rebates - file://c:\program files\web_rebates\sy1150\tp1150\scri1150a.htm
o16 - dpf: {17492023-c23a-453e-a040-c7c580bbf700} (windows genuine advantage validation tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
o16 - dpf: {771a1334-6b08-4a6b-aedc-cf994ba2cebe} (installer class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR THE SYSTEM TO WORK PROPERLY :

o4 - hklm..\run: [hp software update] c:\program files\hewlett-packard\hp software update\hpwuschd.exe
o4 - hklm..\run: [realtray] c:\program files\real\realplayer\realplay.exe systemboothideplayer
o4 - hklm..\run: [internet optimizer] “c:\program files\internet optimizer\optimize.exe”
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

7

CHECKING HIJACKTHIS, INTERNET EXPLORER, WINDOWS AND SOFTWARE FIREWALL:

You are using the latest version of Hijackthis.
You are using the latest version of Internet Explorer.
Software firewall detected.

THESE ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

\windows\system32\wrauclt.exe
\windows\system\lsvchost.exe
\program files\msn apps\updater\01.02.3000.1001\en-gb\msnappau.exe
\program files\internet optimizer\optimize.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.couldnotfind.com/search_page.html?&account_id=1000834
r1 - hkcu\software\microsoft\internet explorer\main,search page = http://www.couldnotfind.com/search_page.html?&account_id=1000834
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = http://www.couldnotfind.com/search_page.html?&account_id=1000834
r1 - hkcu\software\microsoft\windows\currentversion\internet settings,proxyoverride = 127.0.0.1
o2 - bho: search relevancy - {1d7e3b41-23ce-469b-be1b-a64b877923e1} - c:\progra~1\search~1\search~1.dll (file missing)
o2 - bho: (no name) - {83de62e0-5805-11d8-9b25-00e04c60faf2} - c:\windows\2_0_1browserhelper2.dll (file missing)
o2 - bho: bhobj class - {8f4e5661-f99e-4b3e-8d85-0ea71c0748e4} - c:\windows\wsem303.dll
o2 - bho: bahelper class - {a3fdd654-a057-4971-9844-4ed8e67dbbb8} - c:\program files\sidefind\sfbho.dll
o2 - bho: navhelper class - {c1e58a84-95b3-4630-b8c2-d06b77b7a0fc} - c:\program files\navexcel\navhelper\v2.0.4c\nhelper.dll
o2 - bho: adp urlcatcher class - {f4e04583-354e-4076-be7d-ed6a80fd66da} - c:\windows\system32\msbe.dll
o3 - toolbar: yoursitebar - {86227d9c-0efe-4f8a-aa55-30386a3f5686} - c:\progra~1\yoursi~1\ysb.dll
o4 - hklm..\run: [.mscdsr] c:\windows\system\lsvchost.exe
o4 - hklm..\run: [bullseye network] c:\program files\bullseye network\bin\bargains.exe
o4 - hklm..\run: [webrebates0] “c:\program files\web_rebates\webrebates0.exe”
o4 - hklm..\run: [windows adtools] c:\program files\windows adtools\winadtools.exe
o4 - hklm..\run: [*windows update] wrauclt.exe
o4 - hklm..\run: [windows adcontrol] c:\program files\windows adcontrol\winadctl.exe
o4 - hklm..\run: [msnappau] “c:\program files\msn apps\updater\01.02.3000.1001\en-gb\msnappau.exe”
o4 - hklm..\run: [ist service] c:\program files\istsvc\istsvc.exe
o4 - hklm..\runservices: [*windows update] wrauclt.exe
o4 - hkcu..\run: [*windows update] wrauclt.exe
o4 - global startup: blueyonder instant support tool.lnk = c:\program files\blueyonder ist\bin\matcli.exe
o8 - extra context menu item: web rebates - file://c:\program files\web_rebates\sy1150\tp1150\scri1150a.htm
o9 - extra button: sidefind - {10e42047-deb9-4535-a118-b3f6ec39b807} - c:\program files\sidefind\sidefind.dll
o16 - dpf: {17492023-c23a-453e-a040-c7c580bbf700} (windows genuine advantage validation tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
o16 - dpf: {771a1334-6b08-4a6b-aedc-cf994ba2cebe} (installer class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
o16 - dpf: {b38870e4-7ecb-40da-8c6a-595f0a5519ff} (msnmessengersetupdownloadcontrol class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
o23 - service: avast! mail scanner - unknown owner - c:\program files\alwil software\avast4\ashmaisv.exe" /service (file missing)

HARMFULL ITEMS IN THE DOCUMENTS AND SETTINGS FOLDER(S) :

Nothing found.

THE FOLLOWING ITEMS ARE NOT NEEDED TO LOAD
AT BOOTIME FOR THE SYSTEM TO WORK PROPERLY:

o4 - hklm..\run: [hp software update] c:\program files\hewlett-packard\hp software update\hpwuschd.exe
o4 - hklm..\run: [realtray] c:\program files\real\realplayer\realplay.exe systemboothideplayer
o4 - hklm..\run: [sunjavaupdatesched] c:\program files\java\jre1.5.0_01\bin\jusched.exe
o4 - hklm..\run: [internet optimizer] “c:\program files\internet optimizer\optimize.exe”
o4 - global startup: microsoft office.lnk = c:\program files\microsoft office\office\osa9.exe

WE HAVE NO INFO ON THE FOLLOWING ITEMS. THEY CAN BE BAD OR GOOD.
YOU HAVE TO VERIFY THEM MANUALLY. PLEASE TELL US IF YOU HAVE INFO ON THEM :

o4 - hklm..\run: [2mc8cr] c:\windows\rrtnb.exe
o4 - startup: etomi pro on startup.lnk = c:\program files\etomipro\gui\etomipro.exe

8

Ok, I’ve run Avast, Ad-aware, spybot and hijackthis. removed everything they recomended I remove, rebooted, found no windows updates and the problem still persists. Although, when i tried to restart in a safe boot option, nothing happened, except normal rebooting. Also, the problem only happens when I enable my internet connection.
Any further ideas?

Ta!!!
Hannah

9

Please post a new log here.

10

Logfile of HijackThis v1.99.1
Scan saved at 22:08:43, on 16/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wrauclt.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 6 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [*windows update] wrauclt.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\Run: [2Mc8cR] C:\WINDOWS\rrtnb.exe
O4 - HKLM..\RunServices: [*windows update] wrauclt.exe
O4 - HKCU..\Run: [*windows update] wrauclt.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

11

You didn’t fix everything I recommended.
That’s why you still have problems.

12

My bad! I deleted everything this time and double checked, rebooted and ran the test again, but it seems that a few have come back. I’ve highlighted them for you.

Logfile of HijackThis v1.99.1
Scan saved at 22:34:41, on 16/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wrauclt.exe
C:\WINDOWS\System32\sistray.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\rrtnb.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 9 for hijackthis[1].zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [2Mc8cR] C:\WINDOWS\rrtnb.exe
O4 - HKLM..\Run: [*windows update] wrauclt.exe
O4 - HKLM..\RunServices: [*windows update] wrauclt.exe
O4 - HKCU..\Run: [*windows update] wrauclt.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe

One of the files you didn’t recognise is a music download programme, but I’ve deleted that anyway and I don’t know what the other one is.

Hannah

13
  • disable system restore
  • reboot
  • O4 - HKLM..\Run: [2Mc8cR] C:\WINDOWS\rrtnb.exe
    If this one is not the music program, fix it also along with the others.
  • reboot
  • let us know if it solved the problem.
14

Hey! These files have come back again:

O4 - HKLM..\Run: [*windows update] wrauclt.exe
O4 - HKLM..\RunServices: [*windows update] wrauclt.exe
O4 - HKCU..\Run: [*windows update] wrauclt.exe

but the other one hasn’t and everything seems to be fine . . . touch wood!
Cheers for all your help!!!

Hannah

15

Well those need to go also.

It looks like “rrtnb.exe” was the culprit.
Since that one is gone now, try to fix the 3 that are left.
They should stay away now if you fix them.

16

Hey! I’ve just tried to delete them again, but they still reappear when i restart.
O4 - HKLM..\Run: [*windows update] wrauclt.exe
O4 - HKLM..\RunServices: [*windows update] wrauclt.exe
O4 - HKCU..\Run: [*windows update] wrauclt.exe

The original problem’s fixed, though! Any ideas? Sorry for being such a pain!!!

Hannah

17

Do you have ALL security patches/updates installed from the Windows Update website?
Did you disabled system restore before trying to fix them?
Have you ran Avast for a full system scan?
Have you ran a online scanner?

Cause those files are part of the RDBot malware.

18

It seems that i’ve finally got rid of it!

Cheers for all your help!!

Hannah

19

I am having trouble with this virus…can you help??? I have already scanned with avast. It won’t let me delete or move this file…I get an error.

20

Do the same as Hannah.

Visit the malware removal section on my website and follow the instuctions.