zperm virus

[tpkelley]

i keep getting a virus called zperm. i ran AVG and ad-aware. here is a copy of hijackthis. do i need to do anything else?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:41 PM, on 2/7/2015
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
c:\PROGRA~1\AVG\AVG2015\avgrsx.exe
C:\Program Files\AVG\AVG2015\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2015\avgidsagent.exe
C:\Program Files\AVG\AVG2015\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareService.exe
C:\Program Files\AVG\AVG2015\avgui.exe
C:\Program Files\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.2.0\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2015\avgnsx.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.2.0\loggingserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll
O2 - BHO: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\18.2.0.829\AVG SafeGuard toolbar_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll
O3 - Toolbar: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\18.2.0.829\AVG SafeGuard toolbar_toolbar.dll
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG SafeGuard toolbar\vprot.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdAwareTray] "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
O4 - HKUS\S-1-5-21-2342698487-1329037420-3596670359-500\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-21-2342698487-1329037420-3596670359-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - Startup: Nikon Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.8.0_31\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.8.0_31\bin\jp2iexp.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://66.133.171.94/rcm/VMRCActiveXClient1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1371693433752
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://jp-appserver.jeffparish.net/webmap/acgm/Acgm.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\18.2.0\ViProtocol.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgwdsvc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ad-Aware Service 11 (LavasoftAdAwareService11) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: vToolbarUpdater18.2.0 - AVG Secure Search - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.2.0\ToolbarUpdater.exe

--
End of file - 7124 bytes

 

[eddie5659]

Hiya

Sorry for the lateness in replies, these forums can be very busy. Are you still having this problem? If so, can you do the floowing and we'll go from there:

Download Security Check from here.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

----------

Download OTL to your Desktop


(Vista or Win 7 => right click and Run As Administrator)

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• When the window appears, underneath Output at the top change it to Standard Output.
• At the top, check the box entitled Scan All Users
• Toward the bottom, check:
  All Users
  LOP Check
  Purity Check
• Under the Standard Registry box change it to All
  Do not change any settings unless otherwise told to do so.
• Please copy the text in the code box below and paste it in the Custom Scans/Fixes box in OTL:
  
  

  DRIVES
  netsvcs
  activex
  msconfig
  drivers32
  %systemroot%\assembly\GAC_32\*.ini
  %systemroot%\assembly\GAC_64\*.ini
  %ALLUSERSPROFILE%\Application Data\*.exe
  %APPDATA%\*.
  safebootminimal
  safebootnetwork
  %SYSTEMDRIVE%\*.*
  %PROGRAMFILES%\*.exe
  %LOCALAPPDATA%\*.exe
  %windir%\Installer\*.*
  %windir%\system32\tasks\*.*
  %windir%\system32\tasks\*.* /64
  %systemroot%\Fonts\*.exe
  %systemroot%\*. /mp /s
  /md5start
  pnrpnsp.dll
  nwprovau.dll
  nlaapi.dll
  napinsp.dll
  mswsock.dll
  winrnr.dll
  wshelper.dll
  consrv.dll
  explorer.exe
  winlogon.exe
  regedit.exe
  Userinit.exe
  svchost.exe
  services.exe
  user32.dll
  atapi.sys
  csrss.exe
  PRINTISOLATIONHOST.EXE
  /md5stop
  hklm\software\clients\startmenuinternet|command /rs
  hklm\software\clients\startmenuinternet|command /64 /rs
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemdrive%\$Recycle.Bin|@;true;true;true /fp
  %systemroot%\system32\drivers\*.sys /lockedfiles
  C:\Windows\assembly\tmp\U\*.* /s
  %Temp%\smtmp\* \s
  %Temp%\smtmp\1\*.*
  %Temp%\smtmp\2\*.*
  %Temp%\smtmp\3\*.*
  %Temp%\smtmp\4\*.*
  dir "%systemdrive%\*" /S /A:L /C
  CREATERESTOREPOINT

• Click the Run Scan button. The scan wont take long.
  A black box will appear, this is part of the custom scan, so don't be alarmed
  IF OTL SAYS 'NOT RESPONDING' DON'T USE THE MOUSE. IT WILL CARRY ON SCANNING AFTER A FEW MINUTES
  
  
• When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
  

Thanks

eddie

 

[tpkelley]

here is a copy of the file


Results of screen317's Security Check version 0.99.96
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Ad-Aware Antivirus
AVG AntiVirus Free Edition 2015
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Out of date HijackThis installed!
HijackThis 2.0.2
CCleaner
Java 8 Update 31
Java(TM) SE Runtime Environment 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox (35.0.1)
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.5.202.7299\AdAwareService.exe
Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.5.202.7299\AdAwareTray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````

 

[eddie5659]

Thanks, can you also post the OTL logs as well

 

[eddie5659]

Okay, whilst I wait for the OTL logs, lets look at what you've posted


Your AVG is out of date, so that will need updating. Keeping the antivirus up to date is important.

https://support.avg.com/SupportArticleView?l=en_US&urlname=How-to-update-AVG


----

Now, you also have many different versions of Java. The older ones are recomended to remove, as exploits on these ones may not have been patched.


Your Java is also out of date (32-bit), so lets do that next:

Upgrade Java : (32 bits)

• Download the latest version of Java SE Runtime Environment (JRE) JRE 8 Update 31 .
• Under the JAVA Platform Standard Edition, click the "Download JRE" button to the right.
  
  
  
  
  
• Accept License Agreement.".
• Click on the link to download Windows Offline Installation 32 bit ( jre-8u31-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  
  
  Java(TM) SE Runtime Environment 6
  Java(TM) 6 Update 3
  Java(TM) 6 Update 5
  Java 2 Runtime Environment, SE v1.4.2_03
  
  
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the jre-7u67-windows-i586.exe and select "Run as an Administrator.")
• Don't install any of the toolbars that are offered.

After doing the above, for the remains of the Java, can you do this:

Open Java in the Control Panel and under the General tab, under Temporary Internet Files, click the Settings button. Then click on Delete Files.

Make sure both of these options are checked:

• Applications and Applets
• Trace and Log Files

OK out of all the screens.


---------

eddie