Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Generic.GM and Collect.AF


  • This topic is locked This topic is locked
5 replies to this topic

#1 novirusplease

novirusplease

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 21 July 2005 - 04:28 AM

I use AVG and Spyware Doctor but several viruses are still active. Two of them are particularly annoying as AVG is constantly detecting them although the heal action is said to be successful.
Could you please help me remove them. My HijackThis log file is:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:18, on 21.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuamkopxp.exe
C:\winupdates93525.exe
C:\WINDOWS\System32\winproc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hsar\rrat.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Palm\hotsync.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BF89CBE4-0C06-0186-5DF0-25D0582623C1} - C:\WINDOWS\System32\xrptpvvc.dll
O2 - BHO: (no name) - {FB0BA024-6094-6D13-C45C-4FA68FDB3992} - C:\WINDOWS\System32\vqhqit.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinCLG32 Bool] winclg32.exe
O4 - HKLM\..\Run: [Microsoft U] wuamkopxp.exe
O4 - HKLM\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\Run: [REGRUN32] C:\winupdates93525.exe
O4 - HKLM\..\Run: [SOUNDMAN Microsoft Help] soun.pif
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\RunServices: [WinCLG32 Bool] winclg32.exe
O4 - HKLM\..\RunServices: [Microsoft U] wuamkopxp.exe
O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\RunServices: [Microsoftx turn Control] ried.pif
O4 - HKLM\..\RunServices: [SOUNDMAN Microsoft Help] soun.pif
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKCU\..\Run: [Oeae] C:\Program Files\hsar\rrat.exe
O4 - HKCU\..\Run: [Ckpaay] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra 'Tools' menuitem: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9530F07B-29B1-429F-AC77-9316721AC542}: NameServer = 194.230.1.71 194.230.1.200
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)



Many thanks in advance.

BC AdBot (Login to Remove)

 


#2 jahewi

jahewi

    Anti-Malware Helper


  • Members
  • 52 posts
  • OFFLINE
  •  
  • Location:Always nearby
  • Local time:11:39 AM

Posted 21 July 2005 - 08:32 AM

Hi novirusplease,

Download and install the following programs, If they're not on your computer, yet:
- AdAware SE: http://www.lavasoftusa.com/support/download/
- Spybot Search & Destroy: http://www.safer-networking.org/en/mirrors/index.html
- bleep-Cleaner: http://www.ccleaner.com/ccdownload.php
Download CWShredder: http://www.intermute.com/products/cwshredder.html
and put it in it's own folder, f.e. 'C:\CWShredder' or C:\Program Files\CWShredder'

Do a System-Scan with AdAware SE:
- Open AdAware SE
- First of all, check for updates.
To do this, click on 'Check for updates now', click the 'Connect'-button and, if there are new updates, click 'OK' and then 'Finish'.
- Now, do a system-scan by clicking the 'Start'-button.
- In the next screen, select 'Perform Full System scan' and click the 'Next'-button.
- Sit back and relax, while Adaware is performing the system-scan.
- When the scan is done, right-click in the list of items, that AdAware found, and select 'Select All', click the 'Next'-button and then 'the 'Finish'-button.
- Close AdAware SE.

Do a system-scan with Spybot Search & Destroy:
- Open Spybot
- First, Check for updates
click the 'Search for updates'-button. If there are updates available, select them and click the 'Download updates'-button.
- Click 'Search and destroy' and then 'Check for problems'.
- Relax, while Spybot is performing it's scan.
- When Spybot is done, it will show a list of found items (or congratulate you with a clean computer). Click 'Fix selected problems' to delete the items.
- Close Spybot

Do a fix with CWShredder:
- Open CWShredder and click 'Check for updates' and, if a new version is available, click 'Click here to Download the update'.
- Click the 'Fix ->'-button to start a scan and allow CWShredder to repair the found CWS-infections.
- CWShredder will perform it's scan and fix CWS-infections, when it finds them.

Do a online Virusscan at Panda: http://www.pandasoftware.com/activescan/co...n_principal.htm
When Panda ActiveScan has performed it's scan, be sure to save the log to your desktop

Restart your computer.

When your done, please post:
- The log from Panda ActiveScan
- A new HijackThis-log


Good luck!

Jan :-)
Posted Image
... the best defence against malware is common sense ... ;)

#3 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 27 July 2005 - 11:32 AM

The AVG alert still detects Trojan horse Generic.GM. This alert is also continually reappearing (the alert window cannot be removed) even though the heal process is said to be successful.
In addition, AVG detects hundreds of spam mailed from my address to people I even do not know.
My hard disk(?s) is(?are) are continually reading/saving data although no application is running. Subsequently every task takes at least 10 times more to execute.

My HijackThis log file is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 18:23:59, on 27.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\wuamkopxp.exe
C:\WINDOWS\System32\winproc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\mdm.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\w?aclt.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\hsar\rrat.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\PROGRA~1\MICROS~2\Office\Winword.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Palm\hotsync.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
c:\PROGRA~1\EndNote3.EXE
C:\Program Files\Microsoft Office\Office\excel.exe
C:\WINDOWS\msudpspc.exe
C:\WINDOWS\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {BF89CBE4-0C06-0186-5DF0-25D0582623C1} - C:\WINDOWS\System32\xrptpvvc.dll
O2 - BHO: (no name) - {FB0BA024-6094-6D13-C45C-4FA68FDB3992} - C:\WINDOWS\System32\vqhqit.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WinCLG32 Bool] winclg32.exe
O4 - HKLM\..\Run: [Microsoft U] wuamkopxp.exe
O4 - HKLM\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\Run: [SOUNDMAN Microsoft Help] soun.pif
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [Windows Update 32] xpspool.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\mdm.exe
O4 - HKLM\..\RunServices: [WinCLG32 Bool] winclg32.exe
O4 - HKLM\..\RunServices: [Microsoft U] wuamkopxp.exe
O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\RunServices: [Microsoftx turn Control] ried.pif
O4 - HKLM\..\RunServices: [SOUNDMAN Microsoft Help] soun.pif
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [Windows Update 32] xpspool.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKCU\..\Run: [Ckpaay] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Windows Update 32] xpspool.exe
O4 - HKCU\..\Run: [Oeae] C:\Program Files\hsar\rrat.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra 'Tools' menuitem: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: UDP Sub Packet Classifier (UDPSPC) - Unknown owner - C:\WINDOWS\msudpspc.exe
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe

Please help.

#4 jahewi

jahewi

    Anti-Malware Helper


  • Members
  • 52 posts
  • OFFLINE
  •  
  • Location:Always nearby
  • Local time:11:39 AM

Posted 28 July 2005 - 12:50 AM

Hi novirusplease,

Offcourse i'll help you :thumbsup:

Did you save the scanlog from the scan you did with the Panda online scanner?
If so, please post it here. It could be very helpfull!

The problems you have are not so strange.
There are a lot of virusses on your computer.
I didn't find the names of all of them, but there are a few RBot-variants as well

AVG can't scan for spam, only for virusses, so the mails it has found probably are virus-mails.

Because off these virusses are running around in your computer, your computer is slowing down ... that's also normal.


First, let's clean up your HijackThis a bit and see wich problems remain :flowers:


- Be sure that all files and folders are visible:
- Click Start > Control Panel > Tools > Folder Options > View
- At Hidden files and folders, select 'Show hidden files and folders'
- Unmark 'Hide extentions for known file types'
- Click 'Apply'and then 'OK'.

- Start HijackThis and click 'Scan'.

- Only select the following items:
O2 - BHO: (no name) - {BF89CBE4-0C06-0186-5DF0-25D0582623C1} - C:\WINDOWS\System32\xrptpvvc.dll
O2 - BHO: (no name) - {FB0BA024-6094-6D13-C45C-4FA68FDB3992} - C:\WINDOWS\System32\vqhqit.dll
O4 - HKLM\..\Run: [WinCLG32 Bool] winclg32.exe
O4 - HKLM\..\Run: [Microsoft U] wuamkopxp.exe
O4 - HKLM\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\Run: [SOUNDMAN Microsoft Help] soun.pif
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\Run: [Windows Update 32] xpspool.exe
O4 - HKLM\..\Run: [Services] C:\WINDOWS\mdm.exe
O4 - HKLM\..\RunServices: [WinCLG32 Bool] winclg32.exe
O4 - HKLM\..\RunServices: [Microsoft U] wuamkopxp.exe
O4 - HKLM\..\RunServices: [Microsoftx turn Control] ried.pif
O4 - HKLM\..\RunServices: [SOUNDMAN Microsoft Help] soun.pif
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [Windows Update 32] xpspool.exe
O4 - HKCU\..\Run: [Ckpaay] C:\WINDOWS\System32\w?aclt.exe
O4 - HKCU\..\Run: [Windows Update 32] xpspool.exe
O4 - HKCU\..\Run: [Oeae] C:\Program Files\hsar\rrat.exe
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: Windows Configuration Loader - Unknown owner - C:\WINDOWS\svchost.exe


- IMPORTANT: Close all windows, except HijackThis.

- In HijackThis, click 'Fix Checked'.

- Restart your computer in Save Mode

- Delete the following Files (if they are still there):
(Important: Some of the names are very simular to names of legitimate files in other folders! Please be sure you delete the right file, from the right folder!)
C:\WINDOWS\System32\xrptpvvc.dll
C:\WINDOWS\System32\vqhqit.dll
C:\WINDOWS\System32\w?aclt.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\winproc.exe
C:\Program Files\hsar\rrat.exe

- Using Windows Search (rightclick 'Start' and click 'Search ...'), find the following files and delete them (if they are still there):
wuamkopxp.exe
phqghume.exe
soun.pif
ried.pif

- Start CCleaner and click 'Run Cleaner'. After CClaener is done, close it again.

- Restart your computer in Normal Mode and post a new HijackThis-log in this topic.


Good luck, Jan :-)
Posted Image
... the best defence against malware is common sense ... ;)

#5 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 28 July 2005 - 05:18 AM

The AVG alert is still popping up and the e-mail scanner is still detecting thousands of undesired e-mail sendings.

The Panda log file will follow (have to re-scan to get the log, my computer tends to shut down inadvertantly).

---

HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 11:53:06, on 28.07.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\System32\task32w.exe
C:\PROGRA~1\MICROS~2\Office\Winword.exe
C:\WINDOWS\System32\winproc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Palm\hotsync.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [hpsjbmgr] C:\PROGRAM FILES\SCANJET\PrecisionScanLT\hpsjbmgr.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [MS taskbar W] task32w.exe
O4 - HKLM\..\Run: [Windows Process Manager] winproc.exe
O4 - HKLM\..\RunServices: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKLM\..\RunServices: [MS taskbar W] task32w.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LOCAL INTERNET WEB DRIVERS FOR WIN32] phqghume.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [MS taskbar W] task32w.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Fichiers communs\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Démarrage d'Office.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Gestionnaire Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\hotsync.exe
O4 - Global Startup: Microsoft Recherche accélérée.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra 'Tools' menuitem: Portello - {4C1A4A92-7CB2-425a-9E4B-665BAED90D27} - C:\Program Files\Portello\Portello.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: hexadecimal (HexadecimaRepresentation) - Unknown owner - C:\WINDOWS\Edit.exe (file missing)
O23 - Service: WIN32 (image) - Unknown owner - C:\WINDOWS\image.exe (file missing)
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINDOWS\System32\Netlib.exe (file missing)
O23 - Service: UDP Sub Packet Classifier (UDPSPC) - Unknown owner - C:\WINDOWS\msudpspc.exe

#6 novirusplease

novirusplease
  • Topic Starter

  • Members
  • 142 posts
  • OFFLINE
  •  
  • Local time:11:39 AM

Posted 30 July 2005 - 01:07 AM

My computer always shuts down before the Panda scanning is complete, therefore I am not able to provide any log file. At least 60 files were infected, 0 message infected, 0 disinfected.

The Trojan Horse Generic.GM is still detected by the AVG resident shield.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users