More Trojan Collected.5.L

Hi there

I have exactly the same problem except that the recurring virus is located in my Documents and Settings folder (same file though). Also my firewall has been alerting me that "systemsinfo.exe is trying to access the internet" which I foolishly allowed. I know I will have to do something about that.

Will follow your advice and post the log asap.

Thanks for your help.

 

Welcome to WindowsBBS Evolsen

I've moved your post to a thread of it's own and titled it to reflect your problem. Please post all further responses to this topic here.

 

Hyjackthis Log

Here is my log:

Logfile of HijackThis v1.99.1
Scan saved at 2:40:32 p.m., on 14/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ltmoh\Ltmoh.exe
C:\Program Files\Acer\Notebook Manager\almxptray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\TCMMOU~1\MouseDrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\systeminfos.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\FRITZ!\IWatch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Langenscheidt\Pop-up Woerterbuch\PopupWB.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\Hijack.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/advanced_search?hl=de
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [AcerNotebookManager] C:\Program Files\Acer\Notebook Manager\almxptray.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe "
O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe "
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TCMKeyboard ] C:\PROGRA~1\TCMMOU~1\PS2USBKBDDrv.exe
O4 - HKLM\..\Run: [TCMMouse ] C:\PROGRA~1\TCMMOU~1\MouseDrv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P22 "EPSON Stylus COLOR 480" /O5 "LPT1:" /M "Stylus COLOR 480 "
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE "
O4 - HKCU\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ISDNWatch.lnk = C:\Program Files\FRITZ!\IWatch.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Mobilen Favoriten erstellen - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Mobilen Favoriten erstellen... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103186187984
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0AC157DC-190B-41F7-B3C7-0C259AAB2A96}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CCS\Services\Tcpip\..\{19966A08-9BA5-443F-8684-4F20F1EEB51A}: NameServer = 203.96.152.4,203.96.152.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{0AC157DC-190B-41F7-B3C7-0C259AAB2A96}: NameServer = 192.168.120.252,192.168.120.253
O17 - HKLM\System\CS2\Services\Tcpip\..\{0AC157DC-190B-41F7-B3C7-0C259AAB2A96}: NameServer = 192.168.120.252,192.168.120.253
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks again for any help.

 

I need that also, please.

 

MWAV Log

Hello again

Have just done a scan with MWAV and shock-horrow(!!) I have nine viruses instead of one!

Here's the Log:

File C:\WINDOWS\System32\systeminfos.exe infected by "Backdoor.Win32.Agobot.abl" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\systeminfos.exe infected by "Backdoor.Win32.Agobot.abl" Virus. Action Taken: No Action Taken.
File System Found infected by "Alexa Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msua.exe infected by "Trojan-Dropper.Win32.Juntador.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msua.exe infected by "Trojan-Dropper.Win32.Juntador.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\PCHealth\HelpCtr\DataColl\CollectedData_649.xml infected by "BkCln.Unknown" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\PCHealth\HelpCtr\DataColl\CollectedData_655.xml infected by "BkCln.Unknown" Virus. Action Taken: No Action Taken.
File C:\Downloads\w32-421c.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\PMAIL\wpmmapi.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Again, thanks so much for your help

 

Would you please locate and zip up copies of the two XML files from the MWAV scan and attach to an email to me. Put WindowsBBS in the subject line. Just so you know, the last two files listed in the MWAV scan are legit and safe. Part of Pegasus.

I'll be working up a reply soon.

 

MWAC Scan

Sorry, but I could not locate any XML files on my computer - at least none from the MWAV scan. I ran MWAV from my Desktop which is now full of all sorts of files but no XML...

 

XML Files

Sorry, I did find the folder that was supposed to contain those files and it contains a large number of XMLs but not those specific two (649 and 655)...

 

They may be hidden. Set Windows Explorer to show hidden files and folders and look again please.

 

XML Files (2)

Have done that. Still no luck. Could zip the whole folder for you...

 

Download the zipbat.zip file attached to this post. Save it to your desktop. If it saves as attachment.php, right click and rename to zipbat.zip You may need to enable viewing extensions for known file types to see the zip and php extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens, uncheck the box to Hide extensions...... and click OK. Now right click the file and extract the zipbat folder to your desktop. Open and double click the zip.bat file to run. It will create an XML.zip file in C: if the files were found. Attach that zip to an email.

 

Still no luck

Hi Dave
Sorry, to be a pain but I did everything you said and still no go.

Upon double-clicking on zip.bat there was just a quick flick on the screen and that was it. I then search the whole C: drive for a file called XML.zip and nothing... Did the whole thing twice...

 

My error. It needed some quotes.

I replaced the attachment. Please delete the one you have and redownload.

 

No attachment with last post

Sorry, there was not attachment with your last post.

 

I replaced the original in the previous post.

 

....

That's what I thought but it still doesn't work. I.e. a flick on the screen and then nothing - and there does not seem to be a file called xml.zip on my computer...

 

Ok, zip the DataColl folder and send.

I'll have to finish tomorrow. Need sleep.

 

XML Files

Yes, time to finish up here for today as well. Really appreciate your patience and help. I'll email you the folder straight away... Thanks again

 

Well, I don't know why MWAV flagged those two XML files. They don't exist, which is why the zip wasn't created and you couldn't find them.

Save this to notepad, or print it out for reference while in safe mode.

Copy the contents of the quote box below to a blank notepad. Close it, saving to your desktop as

File name: delfiles.bat
Save As Type: All Files

Reboot to safe mode, logon to your user account and double click the file to run it.
Locate the MSDIRECTX.SYS file and delete it.
Open C:\Windows\Temp, select all and delete.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

O4 - HKLM\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKLM\..\RunServices: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Compaq Service Drivers] systeminfos.exe
O4 - HKCU\..\RunServices: [Compaq Service Drivers] systeminfos.exe

Reboot back in Windows, go to Start>All Programs>Windows Update. Accept all critical updates.
Reboot and go back to Windows Update until there are no more criticals offered.

Scan your PC with RAV. If any files are infected, click the report button then copy and paste it here.

Run another HijackThis scan and post the log.

 

Hi there. Thanks for the instructions.

Should I have System Restore on or off? It's off at the moment.