| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 88237 | 2008-03-20 07:30:00 | Virus, Trojan, Spyware infection | colinf (13530) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 651881 | 2008-03-20 07:30:00 | Hi I have a dell optiplex gx150 that seems to have a bad dose of Trojan etc infections. I have run various Antivirus Demo programs including: AVG free; Norton AV 2008; CA Antivirus; FProt; CA; Kaspersky; PC Tools; and Avast; I have also run the following AntiSpyware programs; AVG antispyware, PC Doctor Anti Spyware; Superantispyware; Spybot S&D. All these have found problems and removed them except for Spybot S&D which found a number of Hupigon13 entries, but couldn't remove them with either a normal windows scan or a boot scan. I have run HiJackThis and there seems to be a number of suspicious entries but it cant delete them. I.e. it appears to delete them, but if I do an immediate rescan they are back again. I have also run Trojan Remover as suggested elsewhere in this forum and it found a large number of Trojan entries, but returned an access denied error when I tried to delete them. I have logs from both HiJackThis and Trojan Remover for upload if required Thanks in advance for any help Colin |
colinf (13530) | ||
| 651882 | 2008-03-20 07:47:00 | Post the HJT log | Speedy Gonzales (78) | ||
| 651883 | 2008-03-20 07:51:00 | ok first, never run 2 anti-viruses at any single time. Try to uninstall all but one, eg ESET NOD 32 or Kaspersky, then disable System restore so than a virus can't restore itself using it. Then scan in safe mode, so that not eveything starts up, only the default Winodws stuff starts. Get Spyware Doctor Starter edition, (from google pack) goto Settings, then scan settings, and tick 'scan for rootkit hidden files' and 'Scan Altenative data streams' and then do a FULL SYSTEM SCAN, not an intelli scan. once you have done this run Hijackthis again, and wait for speedy, hes the expert on Hijackthis logs. If all else fails, get all your data, compress it, put in on some sort of media (eg CD, DVD, External HDD, Second Internal HDD etc etc) and reformat your computer, then reinstall Windows XP or Vista or whatever you are using. (If you are thinking of upgrading to Vista, don't bother if you have less and a Geforce 7 serises GPU, A good duo core CPU and a minium of 2 gigs of ram, this is the minium setup which will give you a speed around that of XP using the same components) Boot from Winodws XP/Vista CD, format using the tools provided, then do a clean install. This will kill ALL viruses, along with all your data. Once you reach your desktop, DO NOTHING until you goto Windows Update and download all updates. Do not surf. (You can install an AV like Nod 32 or Kaspersky trial from a disk first BUT MAKE SURE THE DISK ITSELF has no viruses!!!) Now once you hvae all windows updates and a trial AV installed, take you data disks with you compressed data and SCAN THEM ALL with your trial av and Spyware Doctor Starter. Then drag all the compressed files to you desktop and uncompress them, then RESCAN the decompressed files, then put the data in the correct places and you are done :) |
SPARTAN 860 (2618) | ||
| 651884 | 2008-03-20 07:59:00 | :eek: Maybe just start with the hjt log |
bevy121 (117) | ||
| 651885 | 2008-03-20 10:43:00 | Sorry for not making things clearer but I would run one AV, get it to clean what it could, uninstall it, downlaod the next one, update pattern files, run it, etc. Colin HJT log follows, Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:06:06 p.m., on 20/03/08 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\SYSTEM32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\DMI\WIN32\bin\DellDmi.exe C:\Program Files\Dell\OpenManage\Client\EventAgt.exe C:\Program Files\Dell\OpenManage\Client\DLT.exe C:\WINNT\System32\svchost.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\WINNT\LogWatNT.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\stisvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Trend Micro\HijackThis\crusty.exe C:\WINNT\System32\WBEM\WinMgmt.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [Driver Extbn] C:\WINNT\system32\Driver Exden.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan O4 - HKLM\..\Policies\Explorer\Run: [zhqb_df] rundll32.exe C:\WINNT\system\zhqbdf080305.dll mymain O4 - HKLM\..\Policies\Explorer\Run: [zsms] rundll32.exe C:\WINNT\system32\mcdsrv16_080304.dll start O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - unami-dpko.org O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - update.microsoft.com O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Google Updater Service (gusvc) - Unknown owner - (no file) O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe -- End of file - 4150 bytes |
colinf (13530) | ||
| 651886 | 2008-03-20 11:47:00 | Looks like these 2 maybe the prob Run HJT again tick these then tick fix checked Close browser/s O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file) O4 - HKLM\..\Policies\Explorer\Run: [zhqb_df] rundll32.exe C:\WINNT\system\zhqbdf080305.dll mymain <-- Do a search for this file, if you find this after you reboot, delete this file O4 - HKLM\..\Policies\Explorer\Run: [zsms] rundll32.exe C:\WINNT\system32\mcdsrv16_080304.dll start <-- As above O23 - Service: Google Updater Service (gusvc) - Unknown owner - (no file) Not too sure what this is O4 - HKLM\..\Run: [Driver Extbn] C:\WINNT\system32\Driver Exden.exe Get Trojan remover <-- direct link (www.simplysup.co.uk) After you tick the above, install then run trojan remover, update it then scan. Then scan all options under the utilities menu Then reboot |
Speedy Gonzales (78) | ||
| 651887 | 2008-03-20 19:19:00 | Spybot S&D which found a number of Hupigon13 entries, but couldn't remove them with either a normal windows scan or a boot scan. I have run HiJackThis and there seems to be a number of suspicious entries but it cant delete them. Run Spybot again, note the location of the entries it can't remove, delete them manually. HJT has a delete on Reboot utility in Msic Tools which will help. |
pctek (84) | ||
| 651888 | 2008-03-20 22:07:00 | Think you may need to do the fixing with this... Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer. Please visit this webpage for download links, and instructions for running the tool (www.bleepingcomputer.com) When the tool is finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require. Caution: Never run and remove files with Combofix unless supervised by a security analyst. NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know. |
Pancake (6359) | ||
| 651889 | 2008-03-21 06:21:00 | Hi I have run HJT to delete the entries suggested. Downloaded, updated, and run, Trojan Remover. It found apporximately 300 Suspicious Debugger Entires; all of which gave an "Access Denied Error" when I tried to delete them. Most, at least 90% of them, mentioned that "Driver Exden" as the Debugger. I rebooted and the reboot scan of Trojan Remover still couldn't delete the entries. I also ran HJT after the reboot and the entries you asked me to delete were all listed. I have an HJT log, from after the reboot, if you are interested. I am now downloading Combo Fix and setting it up. I assume that setting up the XP recovery console, wont cause any problems on a Windows 2000 system. Colin |
colinf (13530) | ||
| 651890 | 2008-03-21 06:49:00 | scan in safe mode, hopefully you will find that some of the spyware will be deleted. P.S I have a question, how did your pc get infected so badly like this in the first place? P.P.S if all else fails follow my post instructions above :), only do it as a FINAL APPROACH! Big time waster. P.P.P.S Windows 2000?! That is almost unsupported! Why would XP recovery disks help when its 2000, its an entirely different OS! |
SPARTAN 860 (2618) | ||
| 1 2 3 4 5 6 | |||||