Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan


  • Please log in to reply
17 replies to this topic

#1 Kid_kaos

Kid_kaos

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:16 PM

Posted 09 June 2006 - 03:50 AM

Over the last few days Ive been getting my virus scan pop warning.

...

And I forgot the bloodey name of it. Anyway! Heres the log, again. Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 1:43:36 AM, on 6/9/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\AOL\1134514428\ee\AOLSoftware.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
c:\program files\common files\aol\1134514428\ee\aim6.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: AmsServer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1134514428\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1127269105593
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8B60B2E4-E418-4116-A5D0-0D64E08F91D9}: NameServer = 68.94.156.1,68.94.157.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)



BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 04:52 AM

Hi Kid_kaos and Welcome to the Bleeping Computer!


Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\SYSTEM32\winzlo32.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O20 - Winlogon Notify: winzlo32 - C:\WINDOWS\SYSTEM32\winzlo32.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind and Panda

#3 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California

Posted 09 June 2006 - 05:08 AM

Hi Kid_kaos and Welcome to the Bleeping Computer!


Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
Save it to your desktop.
Please double-click Killbox.exe to run it.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\winzlo32.dll


Return to Killbox, go to the File menu, and choose Paste from Clipboard.

Select Delete on Reboot and Unregister .dll before Deleting
then Click on the All Files button.

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).


Did that. And, by the way I didnt get the message.

And I go tthis when trying to reboot in safe mode:

Could not start because the followign is missing ro corrupt: <Windows root>/system32/hal.dll Please reinstall a copy of he above file.


Im on my parents PC at the moment.

Edited by Kid_kaos, 09 June 2006 - 05:09 AM.


#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 04:25 PM

You get this error only in safe mode?

#5 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:16 PM

Posted 09 June 2006 - 07:11 PM

I cant start my PC at all.

I keep getting that error message regardless of the mode I try to access.

But on top of the Safe and Regular mode it also allows me to start from a windows restore point and debug.

But other than that, it wont let me boot the PC at all.

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 09 June 2006 - 08:51 PM

Look through these 2 links and see if you can perform any of the steps they discuss.

http://xphelpandsupport.mvps.org/how_do_i_...sing_or_cor.htm

http://www.kellys-korner-xp.com/xp_haldll_missing.htm


Did this just start after deleting that file?

#7 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California

Posted 09 June 2006 - 09:11 PM

yes it did.

after executing the killbox, it went to the automatic restart. when trying to load on its own it gave me that error message. ill get to it when i get home from work, and ill let you know than.

yes it did.

after executing the killbox, it went to the automatic restart. when trying to load on its own it gave me that error message. ill get to it when i get home from work, and ill let you know than.

#8 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:16 PM

Posted 10 June 2006 - 01:23 AM

Ok.

I tried the first link, didnt work at all.

Second link, it seems like I had to be able to access the start menu. And well, I cant. The Windows bar will scroll, than go to a black screen than give em the error message.

There is no possible way for me to reach my desktop, or even try to do a command prompt.

And on another note, I dont have an extra hard drive, so I cant do that either...

But like I said, when I reboot the system, it gives me other options. A debug, and what I am assuming a system restore. Could one of those work?

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 04:13 AM

At this point,you can try about anything,the hal.dll error is one of the more fatal of the Windows errors.

#10 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California

Posted 10 June 2006 - 11:30 AM

No solution or mode is working.

Is there anything else that can be done, or am I up the creek without a paddle?

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 10 June 2006 - 11:46 AM

Unless you have a Windows CD and access the recovery console???

Those links discuss using the recovery console in pretty good detail.

Theres no more to do other than format.

I have fixed 100s of infections just like yours in the last month but this is the first I have ever seen it have any effect on system files.

#12 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:16 PM

Posted 10 June 2006 - 11:49 AM

i dont doubt your ability to clean a PC, be sure of that.

And Ive tried it, i dont know what it is, but I put the WIndows install cd into my disk tray and teh system doesnt read it. It still gives me teh error message.

and i dont know who to reformat... i rather not.

im trying to see if i can try a different windows install cd, the one I currently have is the one my manfufactor gave me. but my friends keep insisting I am putting in the wrong disk. if that doesnt work i will have to call, i am still under warranty (i hope).

#13 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:07:16 PM

Posted 11 June 2006 - 01:33 PM

i ended up calling Dell customer support. and they had me do a system restore, it purged the virus (and everything else) but my PC isnt exactly prime working order.

thanks for the help though! sorry icouldnt be any more help.

and for future notes, if someone needs to access the command prompt without going into the desktop on a Dell they need to tap F12 at the Dell start up screen. And select run CD ROM, or something along those lines (i forgot the exact wording).

#14 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 June 2006 - 01:45 PM

WOW,thanks for that info.

Can you scan the system with HijackThis and maybe run a scan or 2 to see if anything is left?

#15 Kid_kaos

Kid_kaos
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Location:California

Posted 12 June 2006 - 01:53 AM

Sure, let me reinstall it.

And what dpo you mena by a scan? Like a virus scan?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users