Trojan help. (removing it ofcourse) +hijackthis log

[Moros]

Okay, everybody must know it. You have a sister who thinks she can do everything with a computer but for one strange reason or an other the computer gets one virus after an other. Anyway...

Apparantly she got a trojan of some sorts. She told me that one of the programs she has told so. (she couldn't recall the name and for one reason or another she can't find the name back.) Now I'd help her with thatr only thing she is staying in Gent and that means that she's more than 200kms from here (and so is her pc). Anyway so I asked her to run antivirus prog's,... and hitman pro. But they all get closed when she starts them. I also asked her to download Hijackthis and run it.

This was the result:

Logfile of HijackThis v1.99.1
Scan saved at 22:35:41, on 23/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) (she uses Firefox tough)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\SMCWUSBT-G EZ Connect TM g 108 Mbps 802.11g Wireless USB 2.0 Adapter\ACU.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\drivers\uzcx.exe
C:\WINDOWS\system32\v7.exe
C:\WINDOWS\system32\kernels32.exe
C:\WINDOWS\twain_32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\spoolsvv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Windows\xpupdate.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\retadpu.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\vexg4am1et2.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\pc_asus\LOCALS~1\Temp\Rar$EX01.469\HijackThis.exe
C:\WINDOWS\system32\svchost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: YA2GOOGLE - {89731480-D47D-4DC4-8A36-BAAE55E094C5} - C:\WINDOWS\iexplore.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\INTERN~2\MEDIAKEY.EXE
O4 - HKLM\..\Run: [ACU] C:\Program Files\SMCWUSBT-G EZ Connect TM g 108 Mbps 802.11g Wireless USB 2.0 Adapter\ACU.exe -nogui
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [VaCtrls] v7
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\Run: [Microprose] C:\WINDOWS\twain_32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu27.exe 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A28452DA545E9B1894E754BE54C29159A 7DA682D7735667D926033AAC
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\bhdrijsnk.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxx.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documenten\Settings\winsys2f.dll
O21 - SSODL: HerXFkKXT - {5899E792-F233-4D38-339B-19C475E2F69B} - C:\WINDOWS\system32\apk.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: vwservice - Unknown owner - C:\WINDOWS\system32\vwsrv.exe (file missing)
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)

Anyone an idea? It also blocks sites like symantec,...

So could anyone get me some clear instructions of how to remove this, that I can pass to my sister?

[Blodrast]

Does booting in safe mode make any difference with respect to whether she can run AV proggies ? It's a small chance, granted, but hey...

[Bijo]

When skimming through the info, I found the following ones suspicious, and found some quick links:
http://spywarefiles.prevx.com/RRFAHI.../UZCX.EXE.html
http://www.neuber.com/taskmanager/process/acs.exe.html


Personally, I'd format the whole thing and make a clean install. Then make sure any type of rubbish doesn't come at it, just prevent all these things.

[Blodrast]

When skimming through the info, I found the following ones suspicious, and found some quick links:
http://spywarefiles.prevx.com/RRFAHI.../UZCX.EXE.html
http://www.neuber.com/taskmanager/process/acs.exe.html


Personally, I'd format the whole thing and make a clean install. Then make sure any type of rubbish doesn't come at it, just prevent all these things.

... and keep the computer disconnected from the network until you install all the AV/firewalls/etc stuff.

[Moros]

Thanks guys!

[drone]

Most anti-malware programs will run in safe mode, this is usually the best course of action when trying to disinfect. Create a CD with the various anti-malware programs on it (SpybotSD, AdAware, AVG, etc) AND the latest definitions for each (very important). Unplug the infected PC from the network, boot in safe mode, and go to work.

[Moros]

Okay small update, after running quite a lot of anitvirus progs and deleting quite a few hijakcthis entries the pc is virus free.

[Vladimir]

Glad to see the problem is solved. When I got knocked up with a nasty virus http://www.majorgeeks.com/ really helped.