Page 1 of 6 123456 LastLast
Results 1 to 10 of 60
  1. #1

    Default Virus, Trojan, Spyware infection

    Hi

    I have a dell optiplex gx150 that seems to have a bad dose of Trojan etc infections.

    I have run various Antivirus Demo programs including: AVG free; Norton AV 2008; CA Antivirus; FProt; CA; Kaspersky; PC Tools; and Avast;

    I have also run the following AntiSpyware programs; AVG antispyware, PC Doctor Anti Spyware; Superantispyware; Spybot S&D.

    All these have found problems and removed them except for Spybot S&D which found a number of Hupigon13 entries, but couldn't remove them with either a normal windows scan or a boot scan.

    I have run HiJackThis and there seems to be a number of suspicious entries but it cant delete them. I.e. it appears to delete them, but if I do an immediate rescan they are back again.

    I have also run Trojan Remover as suggested elsewhere in this forum and it found a large number of Trojan entries, but returned an access denied error when I tried to delete them.

    I have logs from both HiJackThis and Trojan Remover for upload if required

    Thanks in advance for any help

    Colin

  2. #2
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: Virus, Trojan, Spyware infection

    Post the HJT log

  3. #3

    Default Re: Virus, Trojan, Spyware infection

    ok first, never run 2 anti-viruses at any single time.
    Try to uninstall all but one, eg ESET NOD 32 or Kaspersky, then disable System restore so than a virus can't restore itself using it. Then scan in safe mode, so that not eveything starts up, only the default Winodws stuff starts.
    Get Spyware Doctor Starter edition, (from google pack) goto Settings, then scan settings, and tick 'scan for rootkit hidden files' and 'Scan Altenative data streams' and then do a FULL SYSTEM SCAN, not an intelli scan. once you have done this run Hijackthis again, and wait for speedy, hes the expert on Hijackthis logs. If all else fails, get all your data, compress it, put in on some sort of media (eg CD, DVD, External HDD, Second Internal HDD etc etc) and reformat your computer, then reinstall Windows XP or Vista or whatever you are using. (If you are thinking of upgrading to Vista, don't bother if you have less and a Geforce 7 serises GPU, A good duo core CPU and a minium of 2 gigs of ram, this is the minium setup which will give you a speed around that of XP using the same components)
    Boot from Winodws XP/Vista CD, format using the tools provided, then do a clean install. This will kill ALL viruses, along with all your data. Once you reach your desktop, DO NOTHING until you goto Windows Update and download all updates. Do not surf. (You can install an AV like Nod 32 or Kaspersky trial from a disk first BUT MAKE SURE THE DISK ITSELF has no viruses!!!) Now once you hvae all windows updates and a trial AV installed, take you data disks with you compressed data and SCAN THEM ALL with your trial av and Spyware Doctor Starter. Then drag all the compressed files to you desktop and uncompress them, then RESCAN the decompressed files, then put the data in the correct places and you are done
    Intel Q6600 2.4Ghz
    nVidia 8800GTX
    3GB of 667mhz ram (I know its slow)
    A Dell XPS 720 Case
    750 Watt PSU
    nForce 680i Motherboard
    Windows Vista Ultimate x86

    My horrible internet speed:
    http://www.speedtest.net/result/248693025.png

  4. #4
    Senior Member
    Join Date
    Nov 2006
    Posts
    1,968

    Default Re: Virus, Trojan, Spyware infection



    Maybe just start with the hjt log

  5. #5

    Default Re: Virus, Trojan, Spyware infection

    Sorry for not making things clearer but I would run one AV, get it to clean what it could, uninstall it, downlaod the next one, update pattern files, run it, etc.

    Colin

    HJT log follows,

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:06:06 p.m., on 20/03/08
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\SYSTEM32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
    C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINNT\LogWatNT.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Trend Micro\HijackThis\crusty.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nzherald.co.nz/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Driver Extbn] C:\WINNT\system32\Driver Exden.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [HijackThis startup scan] C:\Program Files\Trend Micro\HijackThis\HijackThis.exe /startupscan
    O4 - HKLM\..\Policies\Explorer\Run: [zhqb_df] rundll32.exe C:\WINNT\system\zhqbdf080305.dll mymain
    O4 - HKLM\..\Policies\Explorer\Run: [zsms] rundll32.exe C:\WINNT\system32\mcdsrv16_080304.dll start
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://unami-dpko.org/iNotes6.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1163119885019
    O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINNT\System32\3Com_DMI\3CDMINIC.EXE
    O23 - Service: ActionAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    O23 - Service: DellDmi - Dell Computer Corporation - C:\DMI\WIN32\bin\DellDmi.exe
    O23 - Service: DEventAgent - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    O23 - Service: DLT - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\DLT.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Google Updater Service (gusvc) - Unknown owner - (no file)
    O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
    O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINNT\LogWatNT.exe
    O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe

    --
    End of file - 4150 bytes

  6. #6
    Member
    Join Date
    Dec 2004
    Location
    NZ
    Posts
    44,851

    Default Re: Virus, Trojan, Spyware infection

    Looks like these 2 maybe the prob

    Run HJT again tick these then tick fix checked

    Close browser/s

    O2 - BHO: Info cache - {385AB8C6-FB22-4D17-8834-064E2BA0A6F0} - (no file)

    O4 - HKLM\..\Policies\Explorer\Run: [zhqb_df] rundll32.exe C:\WINNT\system\zhqbdf080305.dll mymain <-- Do a search for this file, if you find this after you reboot, delete this file

    O4 - HKLM\..\Policies\Explorer\Run: [zsms] rundll32.exe C:\WINNT\system32\mcdsrv16_080304.dll start <-- As above

    O23 - Service: Google Updater Service (gusvc) - Unknown owner - (no file)

    Not too sure what this is

    O4 - HKLM\..\Run: [Driver Extbn] C:\WINNT\system32\Driver Exden.exe


    Get Trojan remover <-- direct link

    After you tick the above, install then run trojan remover, update it then scan.

    Then scan all options under the utilities menu

    Then reboot
    Last edited by Speedy Gonzales; 20-03-2008 at 11:50 PM.

  7. #7
    Senior Member pctek's Avatar
    Join Date
    Feb 2005
    Location
    In the Wild West
    Posts
    24,212

    Default Re: Virus, Trojan, Spyware infection

    Quote Originally Posted by colinf View Post
    Spybot S&D which found a number of Hupigon13 entries, but couldn't remove them with either a normal windows scan or a boot scan.

    I have run HiJackThis and there seems to be a number of suspicious entries but it cant delete them.
    Run Spybot again, note the location of the entries it can't remove, delete them manually. HJT has a delete on Reboot utility in Msic Tools which will help.

  8. #8
    Old Hand Pancake's Avatar
    Join Date
    Nov 2005
    Location
    Victoria Australia
    Posts
    632

    Default Re: Virus, Trojan, Spyware infection

    Think you may need to do the fixing with this...

    Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.

    Please visit this webpage for download links, and instructions for running the tool


    When the tool is finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

    Caution: Never run and remove files with Combofix unless supervised by a security analyst.

    NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
    Last edited by Pancake; 21-03-2008 at 10:14 AM.


    A Member of :
    UNITE & ASAP

    Eddy

  9. #9

    Default Re: Virus, Trojan, Spyware infection

    Hi

    I have run HJT to delete the entries suggested. Downloaded, updated, and run, Trojan Remover. It found apporximately 300 Suspicious Debugger Entires; all of which gave an "Access Denied Error" when I tried to delete them. Most, at least 90% of them, mentioned that "Driver Exden" as the Debugger.

    I rebooted and the reboot scan of Trojan Remover still couldn't delete the entries.

    I also ran HJT after the reboot and the entries you asked me to delete were all listed. I have an HJT log, from after the reboot, if you are interested.

    I am now downloading Combo Fix and setting it up. I assume that setting up the XP recovery console, wont cause any problems on a Windows 2000 system.

    Colin

  10. #10

    Default Re: Virus, Trojan, Spyware infection

    scan in safe mode, hopefully you will find that some of the spyware will be deleted.

    P.S I have a question, how did your pc get infected so badly like this in the first place?

    P.P.S if all else fails follow my post instructions above , only do it as a FINAL APPROACH! Big time waster.

    P.P.P.S Windows 2000?! That is almost unsupported! Why would XP recovery disks help when its 2000, its an entirely different OS!
    Last edited by SPARTAN 860; 21-03-2008 at 06:59 PM.
    Intel Q6600 2.4Ghz
    nVidia 8800GTX
    3GB of 667mhz ram (I know its slow)
    A Dell XPS 720 Case
    750 Watt PSU
    nForce 680i Motherboard
    Windows Vista Ultimate x86

    My horrible internet speed:
    http://www.speedtest.net/result/248693025.png

Similar Threads

  1. Nasty virus/spyware infection - oh Speedy!
    By wratterus in forum PressF1
    Replies: 10
    Last Post: 02-04-2008, 09:50 AM
  2. Trojan infection
    By Chris Randal in forum PressF1
    Replies: 25
    Last Post: 07-10-2007, 05:22 PM
  3. Spyware infection
    By Greven in forum PressF1
    Replies: 13
    Last Post: 02-09-2007, 05:32 PM
  4. Virus Infection Query
    By in forum PressF1
    Replies: 5
    Last Post: 18-05-2002, 08:49 PM
  5. VIRUS INFECTION ???
    By in forum PressF1
    Replies: 3
    Last Post: 16-05-2002, 09:10 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •