G’day all,

A couple of days ago Avast AV started to give me warnings there was a virus on my computer. Below is the information on the viruses, what I have done so far, and a Hijackthis log.

I would appreciate any help you guys have to offer.

Info from Avast Warning:

C:\WINDOWS\System32{C30FF7A2-6961-41B3-A5E6-1C873B44F08B}.exe
Win32:Trojan-gen. {Other}
C:\WINDOWS\System32{66789467-EE59-4FE1-B7A2-70F3C358CD28}.exe
Win32:Small-TG [Trj]

Action taken so far:

Updated and ran the following;
CCleaner, Ad-Aware, Spybot, Windows Malicious Software Removal Tool, CWShredder, Bitdefender & Panda Activescan.

Restarted

That didn’t work so I did the following:
Disabled System Restore, ran CCleaner again (V1.30.310), did a boot time scan which found 1 file infected which was deleted during the process, ran Ewido - 37 infected & cleaned files.

Restarted

Thanks for you time & I hope someone can help.

Cheers for now,

Marty

I was going to paste the HJT log, but it exceeds the max allowed length, so now I don’t know what to do.

Cheers,

Marty

Hi Marty :

  I recommend you post your HJT log in the HJT forum
  at the "unofficial" Ad-Aware Support forums at ;
  www.landzdown.com .

Hi Pongo81,

Put your hjt log here for a quick and dirty evaluation here:
http://www.hijackthis.de/en
If you safe the result, and you are given the opportunity for that, give the result page here (it will be online for three consequent days from the moment you have saved it). Then we can have a look, else you could put your log here over two posts (cut and paste), but I think the first method is better.
Ask our forum member essexboy in a PM for an evaluation, he is trained to be an hjt analyzer, but we will wait for the analysis results. I think you have a spyware infection, but lets wait and see.

polonus

G’day all,

Thanks to those who posted suggestions, I have taken that advice and posted where applicable.

Here is the result page as requested & I will pm essexboy as sussgested.

http://www.hijackthis.de/logfiles/b5f0dcd39efb9c548c2079220ac68466.html

Cheers,

Marty

Hi pongo

Delete the following

O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)

O4 - HKLM..\Run: [dllhostxp.exe] dllhostxp.exe
O4 - HKLM..\Run: [ajcnw.exe] C:\WINDOWS\System32\ajcnw.exe

Select the above items in HJT CLOSE all other windows and hit fix checked

Then delete files

C:\WINDOWS\System32\ajcnw.exe
dllhostxp.exe (possibly in system32)

(you may need to show all files and folders to get them)

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Unable to find whois for this - if you know and are happy keep it O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.139 85.255.112.186

You should now be clear the 2 04’s were the trojan along with the BHO

If you have problems deleting the 2 files then Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

[*] Save it to your desktop.
[*] Please double-click Killbox.exe to run it.
[*] Select: [*]"Delete on Reboot[*] then Click on the “All Files” button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

C:\WINDOWS\System32\ajcnw.exe
dllhostxp.exe

[*] Return to Killbox, go to the File menu, and choose “Paste from Clipboard”.
[*]Click the red-and-white “Delete File” button. Click “Yes” at the Delete on Reboot prompt. Click “OK” at any PendingRenameOperations prompt.

If your computer does not restart automatically, please restart it manually

Rebbot and run another HJT post the link and I’ll have a look. If you are clean you should download and install SP2

Hi Pongo81,

I’ll agree with essexboy, that dllhostxp.exe (like dllhost.exe) should definitely not exist on your machine, and is associated with viruses or spyware. If you fed a renewed hjt log to essexboy, and when he has chewed it and declared your machine is clean, after you installed ServicePack 2, then install Ad-Aware, Spybot S&D and
SpywareBlaster. The latter program only, and only then when your computer is totally free of malware (virus, spyware, foistware, riskware etc). Before you install these three anti-spyware comrades, do an online scan with spyaudit from here:
http://www.snapfiles.com/php/download.php?id=107886&a=7113187&tag=1482384&loc=2

Thanx to essexboy, and stay malware free,

polonus

G’day guys,

Thanks forf the tips, here is what I have done.

I ran HJT and went to delete the
Went to delete 02 - BHO (name)… It was not there
Selected and fixed 04 - HKLM.…\ … dllhostxp.exe
Went to delete 04 - HKLM.….…\ajcnw.exe It was not there

Did the ATF Cleaner thing.

Checked with my ISP to see if the 85.255.113 etc stuff was his but it’s not so I selected them and fixed via HJT.

Did the Killbox thing.

Did another HJT and it is here:

http://www.hijackthis.de/logfiles/414ac67ed76032d976facd747bdcd9a6.html

Hope you have some other ideas, because the %@(^%! thing is still there. Here is what comes up in the avast window:

C:\WINDOWS\System32{119775AA-35F0-49ED-84BA-B5B51A8649F7}.exe
Win32:Trojan-gen. {Other}
Virus/Worm
0627-0, 03/07/2006

C:\WINDOWS\System32{C6A35067-6C48-4405-A966-341762EDC9DF}.exe
Win32:Small-TG [Trj]
Trojan Horse
0627-0, 03/07/2006

Cheers for now,

Marty

PS

I will PM essexboy and let him know.
I have a SP2 from a computer magazine a mate had, so I will install that as soon as I come clean.

Hi Pongo81,

What you could do in the mean time, and this because of your recent hjt logfile is download hostfix from here:
http://jayloden.com/HostFix.exe
Then run another hjt log file and let essexboy have a look at these results.

The trojan downloaders you have belong to the so-called
Win32.Inservice type an these are a family of trojans that download and execute files from a remote location.

When current variants of the trojan are executed, they download and execute two files from the domain " new.d-extreme.com ", and save them to the "%Temp%\ping .exe " and " %Temp%\traceroute .exe ". At the time of publishing, the downloaded files were these other malware:

* " ping <x >.exe " is detected as a Win32.Centim variant
* " traceroute <x> .exe " is detected as the trojan Win32.Startpage.KD!downloader .

Notes:
and are random numbers generated by the trojan.
%Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is “C:\Documents and Setti ngs<username>\Local Settings\Temp”, or “C:\WINDOWS\TEMP”.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure “Run fixit” is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Close it

You may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log.

polonus

Hi Pongo :

  The EXPERIENCED antispyware Expert on the Landzdown
  forums YESTERDAY posted this in your thread :

"Hi there,

It looks like the latest WareOut infection…in which case, give this a try and let me know how it works out:

(Note: In order to run the fix you will need an active Internet Connection. This is the scripts can be downloaded.)
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure “Run fixit” is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log. "

Hi Spiritsongs,

Don’t like to get visitors away from you, but wasn’t that what you read just over your posting in my reply to Marty’s? Please download “FixWareout from one of these sites”. Why you have to repeat that, and could not give essexboy a bit time to get experienced in this wareout infection cleansing routine?. While he is in training at GtG he is learning a lot over the process, and we need these experienced “hjt analyzers” also here on this forum. We had very good ones like Eddy, who wrote his own hjt analyzing programs (still very useful), but they have gone quiet a bit, so we need fresh new trained experts. We did not do anything wrong yet in these procedures, and I can tell you that together we have dealt with many a smitfraud and newdotnet infection now, either the victims thanked us after they had a clean system or stayed away which comes down to the the same, infection dealt with - end of story.

polonus

Hi again Pongo

Run HJT in safe mode then do the following

Delete O4 - HKLM..\Run: [nrjde.exe] C:\WINDOWS\System32\nrjde.exe

Delete ALL 017 references

Delete ALL 018 references (unless you are totally desperate for all the Logitech stuff to run, but they are areas that can be infected. You can re-install if needed later)

This time follow it with a safe mode scan with Ewido

Followed by an ATF clean

I assume you ran the fixwareout as Pol suggested. If not do that first before anything else. The trojan may well try to rename itself when you reboot if it does you will find it as an 04 entry where the name in [brackets] is the same as the .exe file. Currently [nrjde.exe]. As stated this is the latest variant…

As a backup go to http://www.prevx.com/ and on the left hand side is an infected click here button. Let it fix all that it finds. It is safe I have it on my system.

I know this is a bit longwinded but please bear with it

Hi Pongo,

During the whole process later, make sure you have all your browsers closed.

polonus

Thanks again guys,

I will follow those steps tonight, (I will print out thses notes).

Appreciate all the effort & I will keep you informed.

Cheers,

Pnogo.

Hi Pongo 81,

Additional to the recommended methods above, you could download and run the following tools as well:

about:Buster – http://www.majorgeeks.com/download4289.html
HSRemove –
http://www.majorgeeks.com/download4286.html
PurityScan uninstaller – http://www.purityscan.com/uninstall.html

In that case we more or less have certainty you are clean,
Loads of success, and for later stay malware free,

polonus

Here is the fixwareout report:

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
…

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
…

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names…

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool
C:\WINDOWS\System32\net2.exe

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{DCB7F329-B620-4605-8873-9C44E0F2C35C}.exe
{F70BB360-8A10-4EC4-9F4C-CCBE52A6C0F4}.exe
{5D1F8986-FB3C-435A-B951-07B99F947DFC}.exe
{3D6D8B10-51B9-4198-9951-1F97193C0293}.exe
{25853A62-B5C6-421F-9DAA-0CF0D3F8A298}.exe
{80DB3040-8F0C-457C-A19C-311921F3E990}.exe
{585DCCCE-8694-4603-852D-C47AD945F752}.exe
{144497EE-0111-4F9D-81CA-0EA2636F87BD}.exe

I did the hostfix thing as well, and I will do a hjt report after I have the other steps recommended above.

Cheers all,

Marty

G’day all,

It all seems to have worked finally. Thank you all very much the advice supplied was first class, and so far all seems good. I have restarted a few times and shut down fully a few times, and no alerts so far.

I have done all the steps above and here is a final hjt log. Do you think it is time to install SP2 now? Also do I restart the system restore & make a restore point?

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:36:08 PM, on 5/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Dulux WeatherShield WeatherDesk\weather.exe
C:\Program Files\palmOne\AlarmApp.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\marty\Desktop\Anti-virus Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM..\Run: [OpwareSE2] “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM..\Run: [THGuard] “C:\Program Files\TrojanHunter 4.5\THGuard.exe”
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [Dulux WeatherShield WeatherDesk] C:\Program Files\Dulux WeatherShield WeatherDesk\weather.exe
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\palmOne\AlarmApp.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra ‘Tools’ menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151735726765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

TGhank again for all the help and advice.

Marty

It’s always time…

I think SP2 is too ‘big’ to make system restore work after it… But, if you feel safer you could use it. It won’t hurt.

I can see that there is confusion. The victim posted over at the LzD forum, and here aswell. Simple mis-understanding. I don’t question essexboy’s expertise but I would have thought it was easy enough to see it was a WareOut infection because of the IP’s in the O18 entry for one.

Still, either way Pongo81’s problem is solved and I’m glad to hear it.

ok so i got avast last night cuz it was best recomended from my download site and cuz norton antivirus couldnt even locate a file in my system32 folder that i thought was suspicious. it found
(4) Win32;Zlob-FC[Trj] in my system folder.
(1) Win32;Zlob-EP[Trj] in my Documents and Settings folder.
(2) Win32;Trojan-Gen {other}
one of these is in my System Volume Restore folders
the other is in my Progam Files under “Fun Web Installer”

(2) Win32;Adware-Gen{adw}
1 is in my program files under FunWebProducts Installer.exe
the other is in my System Volume Restore folders

Ok i used your Cleaner to scan my C: drive and it found 0 infected