I’ve read the other posts regarding this one but I’m a bit of a novice at all this and think I need someone to hold my hand. It seems I need to do a Hijack this scan followed by Combofix. In other posts people have been advices to check certain lines in the Hijack this scan and then to run “Fix”. I don’t seem to have those lines though. Thought I’d just post the log from Hijack this for now and wait for advice.

Thanks in advance for any help.

John

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:38, on 11/02/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\wfxsnt40.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Symantec\TalkWorks\wfxctl32.exe
C:\Program Files\Symantec\TalkWorks\WFXMOD32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FB794C-2E47-4CB1-BA77-5346D843F0B7} - C:\Program Files\Windows Media Player\hokevC:\WINDOWS\System32\ecw8\renamd83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\System32\ssqrsrs.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Google Desktop Search] “C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [BitTorrent] “C:\Program Files\BitTorrent\bittorrent.exe” --force_start_minimized
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Controller.LNK = C:\Program Files\Symantec\TalkWorks\WFXCTL32.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra ‘Tools’ menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ssqrsrs - C:\WINDOWS\SYSTEM32\ssqrsrs.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TalkWorks PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: Iomega Active Disk (IOMEGA_ACTIVE_DISK_SERVICE) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

–
End of file - 9464 bytes

at least these items are strange

O2 - BHO: (no name) - {31FB794C-2E47-4CB1-BA77-5346D843F0B7} - C:\Program Files\Windows Media Player\hokevC:\WINDOWS\System32\ecw8\renamd83122.exe.dll (file missing)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - C:\WINDOWS\System32\ssqrsrs.dll
O4 - HKLM..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: ssqrsrs - C:\WINDOWS\SYSTEM32\ssqrsrs.dll

anybody to confirm?

If it’s any help the symptoms are that Avast pops up exactly every 60 mins with the virus warning. Each time it’s a dll file in my system32 folder. I either move it to the vault or delete it. Seems to make no difference as exactly 60 mins later it seems another dll file has been generated with the virus. I have a feeling it’s connected with some dll files in my system32 folder as follows:

rqrsrpn.dll, rqronmj.dll and ssqrsrs.dll

I only suspect these as they have a date and time about the time I started getting the virus warnings. I was tempted to just delete or rename them but I wasn’t sure this was the best thing to do. I have scanned it with Avast but it didn’t show anything.

I’m also not sure about the following one either …

C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe

John

Hi

Run combofix first then HJT. Post both logs.

You can attach them by using the additional options button on the reply page.

Thanks Oldman.

Logs attached.

After running Combofix and rebooting Spybot popped up saying it had detected some registry changes. I assume this was down to Combofix so I allowed them. Hope that was right.

John

Just to add that Avast has stopped popping up with virus warnings every hour so that’s looking promising.

It looks like some, but not all has been removed. If you can live with it til this afternoon, I’ll be home then and we can get the rest.

Hi !

I still cant remove the virus…

Please e-mail to bskude@yahoo.com with tips on how to remove it. I am currently using avast home version 4.7 and this software cannot remove the virus

Thank you in advance !

/Bjorn Skude

bskude -

Please start your own post on your problem as Nodge is being helped in this thread. You will get better help if you do. Welcome to the forums.

Oldman. many thanks for your help so far. Not sure if I did right or not but I ran another virus scan with Avast and it did pick up some more viruses which I moved to the chest. Not sure how I post a log from Avast so I did a screen grab of the results and I’m attaching that.

Thanks

John

Sorry for the delay.

the avast detections where infected system restore oint. The restore point shouldn’t be a problem unless you use them. We’ll clean then put in a bit.

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot
Download and Unzip to your Desktop: http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

reboot

Please submit these files for analysis

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\b116old.exe
C:\WINDOWS\b122old.exe
C:\os350142.bin

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {31FB794C-2E47-4CB1-BA77-5346D843F0B7} - C:\Program Files\Windows Media Player\hokevC:\WINDOWS\System32\ecw8\renamd83122.exe.dll (file missing)
O4 - HKLM..\Run: [runner1] C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\Temp\gwLsx9101.exe C:\Program Files\Dot1XCfg\Dot1XCfg.exe

Folder::
C:\WINDOWS\system32\ecw8
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\pie2
C:\WINDOWS\system32\nGpxx01
C:\Temp\gTiis19
C:\Temp\cXzz9

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

Thanks for your help with all this Oldman.

I’m attaching the various logs.

Just 2 more to get rid of, then we do some clean up.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

Files:: C:\WINDOWS\b116old.exe C:\WINDOWS\b122old.exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

[b]note[\b] when doing the combofix fix

OK, done that.

Didn’t know what you meant by “note[\b] when doing the combofix fix”

Here’s the Combofix log attached.

Thanks again,

John

Hi
The part of the post you asked about, it’s part of my copy/pasted canned version of the comboscript fix that didn’t apply in this case. Must have missed it when I removed that part.

Well, it looks like we may have to hammer those two.

Any other problems?

Please download
OTMoveIt2 by OldTimer.

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\b116old.exe
C:\WINDOWS\b122old.exe

Return to OTMoveIt2, right click in the “Paste List of Files/Folders to be Moved” window (under the light blue bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
C:_OTMoveIt\MovedFiles**_.log
(where “**_” is the “date_time”)

OK. Done that and got this …

C:\WINDOWS\b116old.exe moved successfully.
C:\WINDOWS\b122old.exe moved successfully.

OTMoveIt2 v1.0.20 log created on 02142008_112326

John

That should have been the last of them.

Everything ok now? Let me know.

Here’s a clean up routine to if eveything is good.

• Click start button, run, then copy and paste the following line into the box and click ok.

ComboFix /u

• Open OTMoveIt, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

• Make a new clean restore point

To clear existing restore points

1.Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.Click to add a check mark beside Turn off System Restore on all Drives, and click Apply.

3. When you are warned that all existing Restore Points will be deleted, click Yes to continue.

All system restore points are deleted.

• Now you should manually create a restore point.

1.Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.

2.Click Create a Restore Point, and then click Next.

3.Name your restore point. (use the date as well as a descriptive term such as “After Restore Point Deletion.”) click create, click close.

• Update your java

Open an Internet Explorer (only) window and go to http://java.sun.com/javase/downloads/index.jsp > Scroll down to “Java Runtime Environment (JRE) 6 Update 4…allows end-users to run Java applications”.

Click the download button on the right.

If Information Bar pop-ups up, right-click on it and say it’s OK to display the blocked content.

You do not have to install the Java Web Start ActiveX Control

Accept the license agreement > Click on Windows (XP,Vista, .etc) Offline Installation, Multi-language and Save the file jre-6u4-windows-i586-p.exe to your desktop; do not Run it.

When the download is complete, Open Control Panel > Add/Remove Programs:

Uninstall anything that says Sun Java, Java JRE, or similar.

Close Add/Remove Programs.

In Windows Explorer, navigate to C:\Program Files\Java <=this folder, if found. Delete any subfolders it may contain.

Do NOT delete C:\Program Files[b]JavaVM[/b] <=this folder, if found!

Reboot your computer.

Double-click on the saved file to install the update.

Delete the downloaded installation file after completing the above procedure and reboot if not prompted to do so.

• Download and run this clean up utility. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

CleanUp

• If you are using windows firewall, please note that it doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

Don’t forget to re-enable Teatimer.

Take care abd keep safe.

OK. Working through that. About to remove the old Java stuff. I have the attached listed under Add/Remove Programs. Do I remove them all?

Thanks

Yes, they are all old versions.