1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Dropper.Generic.ELZ

Discussion in 'Virus & Other Malware Removal' started by Ron the Geek, Jan 27, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    I'm running AVG Free Edition on a Compaq Presario desktop and on, it looks like, every single downloaded audio or video file, it detected Trojan horse Dropper.Generic.ELZ. (I mean, it just kept scrollin'...) I Googled it and found no matches at all. Anyone familiar with this?
    RTG :cool:
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, It's common to see this type of detection, usually means a trojan that has many aliases....

    EggDrop is one.

    go to Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Additional Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then save the log and then the log will open in Notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Hey! Just getting back. Right now, AVG is running again; I believe I've already installed HiJack on the machine, if not, I'll do so when AVG is done. Should this thread be moved to security? Thanks!
    RTG :cool:
     
  4. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Sorry—didn't notice I was already in Security... I'm usually in the Windows Forum... I'll post that HJ file ASAP. Thanks!
     
  5. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Okay, Byteman, here we go:

    Logfile of HijackThis v1.99.1
    Scan saved at 1:08:47 PM, on 1/29/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\c2FtYW50aGEgYm9zdGlj\command.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ssn6tuu.exe
    C:\WINDOWS\cfg32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\windows\system32\dwdsregt.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\WINDOWS\WNSXS~1\services.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\WINDOWS\system32\nr1rnqm8.exe
    C:\Program Files\Call of Duty Game of the Year Edition\servercache.exe
    C:\WINDOWS\cfg32a.exe
    C:\WINDOWS\ALCXMNTR.EXE
    c:\windows\system\hpsysdrv.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R3 - URLSearchHook: (no name) - {D6B1D264-6FA4-1409-A4DB-601332A93996} - C:\WINDOWS\system32\idyzzwor.dll
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\bevhj.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,ladltwr.exe
    O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
    O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
    O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
    O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
    O2 - BHO: (no name) - {D6B1D264-6FA4-1409-A4DB-601332A93996} - C:\WINDOWS\system32\idyzzwor.dll
    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
    O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
    O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
    O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
    O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [regcmdcons] c:\hp\bin\cloaker.exe c:\hp\bin\cmdcons.cmd
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
    O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
    O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
    O4 - HKLM\..\Run: [cufmonh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\cufmonh.dll,ozoaldb
    O4 - HKLM\..\Run: [{2A-A5-5A-AB-ZN}] C:\windows\system32\dwdsregt.exe GID003
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
    O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\system32\testtestt.exe
    O4 - HKCU\..\Run: [Srro] "C:\WINDOWS\WNSXS~1\services.exe" -vt ndrv
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Z_Start.lnk = C:\ZIGID003.exe
    O4 - Global Startup: .protected
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
    O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://click.getmirar.com (HKLM)
    O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
    O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nucleus.com/FIX/WinATS.cab
    O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
    O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\irjsl5171.dll (file missing)
    O20 - Winlogon Notify: SharedDlls - C:\WINDOWS\system32\hrnm0551e.dll (file missing)
    O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\c2FtYW50aGEgYm9zdGlj\command.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    _____________________________________________

    If you have any suggestions, they're surely appreciated! Thanks!
    RTG :cool:
     
  6. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, That's just great, a real mess! But, I will try to knock some down for you. This may result in malware winning, so I hope you are prepared for the unexpected as far as backing up files or anything you need on this computer.

    ]Click here to download Look2Me-Destroyer.exe and save it to your desktop.
    • Close all windows before continuing.
    • Double-click Look2Me-Destroyer.exe to run it.
    • Put a check next to Run this program as a task.
    • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    • Once it's done scanning, click the Remove L2M button.
    • You will receive a Done Scanning message, click OK.
    • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    • Your computer will then shutdown.
    • Turn your computer back on.
    • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
    If Look2Me-Destroyer does not reopen automatically, reboot and try again.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


    STOP HERE, post what is asked for above. The rest down below, just get the downloads to have ready.

    _ _ police line do not cross_ _ ___ _

    drweb-cureit.exe Save it to your desktop.

    Download ATFCleaner by Atribune & save it to your desktop. DO NOT use it yet. We will use it in Safe Mode, later
    As you probably know, deleting Cookies can result in you having to type in your username and passwords at ALL sites that use logins, like this site does, so if you willy nilly delete cookies, which is safe enough to do, you will have to re-establish these cookies and login the first time you visit any site like that.
    ATF Cleaner has a way to save those cookies you would like to keep but it will require some time. If you DO KNOW or have saved all your Passwords and login usernames you can delete all cookies.



    IMPORTANTPlease print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page. The fix must be run in Safe Mode only

    * Restart your computer into safe mode now.To get into the Windows 2000 / XP Safe mode, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu"
    Use your arrow keys to move to "Safe Mode" and press your Enter key.

    Next, start up ATFCleaner:

    • Double-click ATF-Cleaner.exe to run the program.
      Under Main choose: Select All
      Click the Empty Selected button.
    If you use Firefox browser
    • Click Firefox at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser
    • Click Opera at the top and choose: Select All
      Click the Empty Selected button.
      NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.

    Next: Stay in Safe Mode for this....
    • Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
    • It will first make a quick scan of your system, let it clean what it find, and when it says "done"
    • Click on the green screwdriver-
      Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
    • Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner
    • It will now scan your drive(s), say yes to all

    • After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit. Restart.
     
  7. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Hey Byteman. Just now got a chance to get back to the computer. I'll try and get around to this sometime this week, hopefully; six more machines came to my bench in the last couple of days and I need to find the ones I can prepare the quickest. Believe it or not, computers in a pawn shop move like crazy and right now I've got none on the sales floor. I'm afraid, however, I'm going to see a lot more of the same problems...
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, That's fine but limit the use on the Net for this and similar machines...they tend to get more infected when connected, especially with high speed Internet like cable.

    You can and should get the downloads burned to CD or something and run them while the computer is not connected physically to any network or Internet device.

    You can then copy logs requested etc onto floppy diskette or flash drive to send them to post here.

    Always post a brand new Hijackthis log made after whatever we had you run such as the Look2Me tool.
     
  9. Ron the Geek

    Ron the Geek Thread Starter

    Joined:
    Nov 22, 2006
    Messages:
    492
    Using a CD is exactly what I do. Some of the machines that I work on will not see the network here at work (I'm not a network guru, but have tried everything I know, but some of these systems just won't see the network) and so it's necessary to run these programs from CD. Spybot is the only disappointment since it requires downloading updates before it will execute it's initial run. But I use AVG Free, CCleaner, and HiJackThis and, of course, Spybot when I can. Every day is a new education...
     
  10. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/538881

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice