Computer scanned still virus like activity

agtenor · Jan 27, 2005

I've scanned this computer with AVG Free, Spybot S&D, AdAware free version, Trend Micro's online scan and the new Microsoft spyware beta. All of them found trojans, except the Trend Micro scan and cleaned them. Trend didn't find anything.
Every morning when she turns the computer on AVG runs and finds a couple of viruses, always something different and always in the IE temp files.
I booted into command prompt Safe mode and deleted the IE cache and for that day AVG didn't find any more viruses when it ran but the next morning it found more.
The computer is running slower and slower all the time and every time it gets on the net AVG mail scanner shows that is is constantly scanning outgoing email messages even when she isn't sending anything anything and Outlook Express isn't running. She's on a slow dial up so the outgoing messages really suck up her bandwidth.
Hijack This log follows:
Logfile of HijackThis v1.99.0
Scan saved at 11:51:18 AM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system\winlgon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
E:\hijack\HijackThis.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.up-link.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.up-link.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.up-link.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Up-Link Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe
c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [.service] C:\WINDOWS\system\winlgon.exe
O4 - HKLM\..\Run: [wgcWJrkylb] C:\WINDOWS\System32\oljiyrxtonp.exe
O4 - HKLM\..\RunServices: [wgcWJrkylb] C:\WINDOWS\System32\oljiyrxtonp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program
Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.up-link.net
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/0265ce2a1e0d1292a419/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{034D478D-6C41-464C-947F-6630A96C1E14}:
NameServer = 151.164.64.201 151.164.1.8
O17 -
HKLM\System\CS1\Services\Tcpip\..\{034D478D-6C41-464C-947F-6630A96C1E14}:
NameServer = 151.164.64.201 151.164.1.8
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe

Logfile of HijackThis v1.99.0
Scan saved at 11:51:18 AM, on 1/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system\winlgon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
E:\hijack\HijackThis.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.up-link.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.up-link.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.up-link.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Up-Link Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe
c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [.service] C:\WINDOWS\system\winlgon.exe
O4 - HKLM\..\Run: [wgcWJrkylb] C:\WINDOWS\System32\oljiyrxtonp.exe
O4 - HKLM\..\RunServices: [wgcWJrkylb] C:\WINDOWS\System32\oljiyrxtonp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program
Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.up-link.net
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/0265ce2a1e0d1292a419/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 -
HKLM\System\CCS\Services\Tcpip\..\{034D478D-6C41-464C-947F-6630A96C1E14}:
NameServer = 151.164.64.201 151.164.1.8
O17 -
HKLM\System\CS1\Services\Tcpip\..\{034D478D-6C41-464C-947F-6630A96C1E14}:
NameServer = 151.164.64.201 151.164.1.8
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe

cybertech · Jan 27, 2005

Hi agtenor, Welcome to TSG!!

Run HJT again and put a check in the following:

O4 - HKLM\..\Run: [.service] C:\WINDOWS\system\winlgon.exe
O4 - HKLM\..\Run: [wgcWJrkylb] C:\WINDOWS\System32\oljiyrxtonp.exe
O4 - HKLM\..\RunServices: [wgcWJrkylb] C:\WINDOWS\System32\oljiyrxtonp.exe
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.real.com/0265ce2...ip/RdxIE601.cab

Close all applications and browser windows before you click "fix checked".

Restart in Safe Mode

Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files:
C:\WINDOWS\system\winlgon.exe
C:\WINDOWS\System32\oljiyrxtonp.exe
c:\x.cab
c:\ied_s7.cab

Reboot and post another log.

agtenor · Jan 27, 2005

Thanks. It will be tomorrow before I can get over there and try it.

AG

cybertech · Jan 27, 2005

No problem.

agtenor · Jan 29, 2005

Logfile of HijackThis v1.99.0
Scan saved at 2:46:53 PM, on 1/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.up-link.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.up-link.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.up-link.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Up-Link Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} -
C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp]
c:\hp\drivers\printers\photosmart\hphprld.exe
c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program
Files\Lexmark X125\LEX125SU.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.up-link.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe

It's still sending emails so something isn't right.

cybertech · Jan 29, 2005

Run HJT again and put a check in the following:

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -
c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)

Close all applications and browser windows before you click "fix checked".

I don't see anything malicious in the log.

Does she have both an HP and a Lexmark printer?

Does she use Windows Messenger?

Are you still getting virus warnings every day?

agtenor · Jan 31, 2005

As far as I know she is. I've got a bad cold and the lady is in shaky health. I don't want to expose her to what I've got so it will be a couple of days, at least, till I can go out there again.
I'll get back to you whan I can go over there.

AG

cybertech · Jan 31, 2005

Take care! That nasty cold/flu thing is going around...

Computer scanned still virus like activity

agtenor

cybertech

Retired Moderator

agtenor

cybertech

Retired Moderator

agtenor

cybertech

Retired Moderator

agtenor

cybertech

Retired Moderator

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

Welcome to Tech Support Guy!

Latest posts

Staff online

Members online