zperm virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

tpkelley

Thread Starter
Joined
Oct 12, 2002
Messages
67
i keep getting a virus called zperm. i ran AVG and ad-aware. here is a copy of hijackthis. do i need to do anything else?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:10:41 PM, on 2/7/2015
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
c:\PROGRA~1\AVG\AVG2015\avgrsx.exe
C:\Program Files\AVG\AVG2015\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2015\avgidsagent.exe
C:\Program Files\AVG\AVG2015\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareService.exe
C:\Program Files\AVG\AVG2015\avgui.exe
C:\Program Files\AVG SafeGuard toolbar\vprot.exe
C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.2.0\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2015\avgnsx.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.2.0\loggingserver.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_31\bin\ssv.dll
O2 - BHO: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\18.2.0.829\AVG SafeGuard toolbar_toolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_31\bin\jp2ssv.dll
O3 - Toolbar: AVG SafeGuard toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG SafeGuard toolbar\18.2.0.829\AVG SafeGuard toolbar_toolbar.dll
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,[email protected]
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG SafeGuard toolbar\vprot.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdAwareTray] "C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner.exe" /MONITOR
O4 - HKUS\S-1-5-21-2342698487-1329037420-3596670359-500\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Administrator')
O4 - HKUS\S-1-5-21-2342698487-1329037420-3596670359-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Administrator')
O4 - Startup: Nikon Monitor.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.8.0_31\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.8.0_31\bin\jp2iexp.dll
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://66.133.171.94/rcm/VMRCActiveXClient1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1371693433752
O16 - DPF: {8B0F07E1-00F9-4B1B-9A2F-456DC0F54EBF} (PortDetector Control) - http://vlab1se-ekt2.elementk.com/vlab/ax/PortTester.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://jp-appserver.jeffparish.net/webmap/acgm/Acgm.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\18.2.0\ViProtocol.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2015\avgwdsvc.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Ad-Aware Service 11 (LavasoftAdAwareService11) - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus\11.5.202.7299\AdAwareService.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: vToolbarUpdater18.2.0 - AVG Secure Search - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.2.0\ToolbarUpdater.exe

--
End of file - 7124 bytes
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

Sorry for the lateness in replies, these forums can be very busy. Are you still having this problem? If so, can you do the floowing and we'll go from there:

Download Security Check from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


----------

Download OTL to your Desktop


(Vista or Win 7 => right click and Run As Administrator)

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Standard Output.
  • At the top, check the box entitled Scan All Users
  • Toward the bottom, check:
    All Users
    LOP Check
    Purity Check
  • Under the Standard Registry box change it to All
    Do not change any settings unless otherwise told to do so.
  • Please copy the text in the code box below and paste it in the Custom Scans/Fixes box in OTL:

    Code:
    DRIVES
    netsvcs
    activex
    msconfig
    drivers32
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    %ALLUSERSPROFILE%\Application Data\*.exe
    %APPDATA%\*.
    safebootminimal
    safebootnetwork
    %SYSTEMDRIVE%\*.*
    %PROGRAMFILES%\*.exe
    %LOCALAPPDATA%\*.exe
    %windir%\Installer\*.*
    %windir%\system32\tasks\*.*
    %windir%\system32\tasks\*.* /64
    %systemroot%\Fonts\*.exe
    %systemroot%\*. /mp /s
    /md5start
    pnrpnsp.dll
    nwprovau.dll
    nlaapi.dll
    napinsp.dll
    mswsock.dll
    winrnr.dll
    wshelper.dll
    consrv.dll
    explorer.exe
    winlogon.exe
    regedit.exe
    Userinit.exe
    svchost.exe
    services.exe
    user32.dll
    atapi.sys
    csrss.exe
    PRINTISOLATIONHOST.EXE
    /md5stop
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemdrive%\$Recycle.Bin|@;true;true;true /fp
    %systemroot%\system32\drivers\*.sys /lockedfiles
    C:\Windows\assembly\tmp\U\*.* /s
    %Temp%\smtmp\* \s
    %Temp%\smtmp\1\*.*
    %Temp%\smtmp\2\*.*
    %Temp%\smtmp\3\*.*
    %Temp%\smtmp\4\*.*
    dir "%systemdrive%\*" /S /A:L /C
    CREATERESTOREPOINT
  • Click the Run Scan button. The scan wont take long.
    A black box will appear, this is part of the custom scan, so don't be alarmed ;)
    IF OTL SAYS 'NOT RESPONDING' DON'T USE THE MOUSE. IT WILL CARRY ON SCANNING AFTER A FEW MINUTES

  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic

Thanks

eddie
 

tpkelley

Thread Starter
Joined
Oct 12, 2002
Messages
67
here is a copy of the file


Results of screen317's Security Check version 0.99.96
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Ad-Aware Antivirus
AVG AntiVirus Free Edition 2015
Antivirus out of date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Ad-Aware
Out of date HijackThis installed!
HijackThis 2.0.2
CCleaner
Java 8 Update 31
Java(TM) SE Runtime Environment 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java 2 Runtime Environment, SE v1.4.2_03
Java version 32-bit out of Date!
Java 64-bit 8 Update 31
Adobe Flash Player 16.0.0.305
Adobe Reader XI
Mozilla Firefox (35.0.1)
````````Process Check: objlist.exe by Laurent````````
Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
AVG avgwdsvc.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.5.202.7299\AdAwareService.exe
Lavasoft Ad-Aware Antivirus Ad-Aware Antivirus 11.5.202.7299\AdAwareTray.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 14% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

eddie5659

Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Okay, whilst I wait for the OTL logs, lets look at what you've posted :)


Your AVG is out of date, so that will need updating. Keeping the antivirus up to date is important.

https://support.avg.com/SupportArticleView?l=en_US&urlname=How-to-update-AVG


----

Now, you also have many different versions of Java. The older ones are recomended to remove, as exploits on these ones may not have been patched.


Your Java is also out of date (32-bit), so lets do that next:

Upgrade Java : (32 bits)
  • Download the latest version of Java SE Runtime Environment (JRE) JRE 8 Update 31 .
  • Under the JAVA Platform Standard Edition, click the "Download JRE" button to the right.


  • Accept License Agreement.".
  • Click on the link to download Windows Offline Installation 32 bit ( jre-8u31-windows-i586.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.


    Java(TM) SE Runtime Environment 6
    Java(TM) 6 Update 3
    Java(TM) 6 Update 5
    Java 2 Runtime Environment, SE v1.4.2_03

  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista or Win 7 users, right click on the jre-7u67-windows-i586.exe and select "Run as an Administrator.")
  • Don't install any of the toolbars that are offered.


After doing the above, for the remains of the Java, can you do this:

Open Java in the Control Panel and under the General tab, under Temporary Internet Files, click the Settings button. Then click on Delete Files.

Make sure both of these options are checked:

  • Applications and Applets
  • Trace and Log Files
OK out of all the screens. :)


---------

eddie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top