persistent P Skill E Tool Malware & delcab virus

My D.V.D.-Rom drive stopped working on my 2001 Packard Bell computer. I went to device manager & found it to be enabled & woking properly. It doesn't play any discs now, I expected corruption. I went to Smart Restore to reinstall the drive & my avast resident picked up the P SKILL E Tool Malware as I opened it. I selected move to chest, which it did & I deleted it, opened Smart Restore again there was the same malware, selected delete immediately, which it did, or so I thought. It is unmovable from there & every time I delete or move to chest I get a registry change has occurred from my resident Spybot S&D, which says delcab is trying to make a start up file, which I always deny. I done a thorough scan with my avast & it picked up 10 P skill e tool malware, no delcab. I moved these all to chest, I then found my avast was corrupt & nothing was in chest after 8 hour scan, I have installed new one now. Tried A.V.G. Ewido, 30 day trial, it picks up nothing.My new avast now picks up nothing. Tried Swordfish from Stronghold & it has switched off my zone alarm firewall & found what I think about 50 bogus trojan horses & worms, some in my Kapersky files, which I have never had. My Spybot S&D picks up nothing, my adadware only tracking cookies. I have removed Swordfish now. I scan every day for registry issues with ccleaner & Spybot S&D Tools Internals & remove if there are any with back up. I know now that these malware have infected the C/System Volume Information restore points & in C/WIDOWS/RESTORE/INS/C/OEMCUST/TOOLS/WIN32/PSKILL EXE. & only show up on my avast scanner when I select scan archives.Is there any way to remove this prsistent malware and is the delcab virus connected to it? I have Windows XP with SP2, Pentium 4, 1.9 GHz, 512mb RAM, nvidea G-Force 5200 AGP graphics card. Plese help if you can, I have been trying everything for a week now. Windows is still telling me my Zonealarm firewall is off, although it seems to be on, how can I check? I have just tried to scan again with avat 4.7 home & an error occurred trying to move 8 infections to chest, also about 50 items unable to scan. Any ideas?

 

Hello and welcome to WindowsBBS Forums.

If what is being found is in the file path of system restore, then it is not a threat. To clear those findings, all you have to do is turn of system restore, reboot and turn system restore back on and none of the anti-spyware or av apps will find those.

If possible, I would also customize your scans to exclude those folders. Once you have set a clean system restore point, there is no need to scan those folders.

Let us know if that helps.

 

Re: P Skill E Tool Malware & delcab

hi Te Merc,
Thank you for your reply, I am willing to turn the system restore off, I have done so before, prior to a scan in safe mode. My only concern is that you have lost all your restore points, if you did need to go back to a previous point. Unfortunately the problem is more complex than that, the malware being in my OEMCUST file, which is the license between Packard Bell & Microsoft, and in my Smart Restore, which is a Packard Bell Programme to uninstall/reinstall hardware or software. The malware is also in my registry. There is also the problem of my DVD-Rom drive, which ejects, but cannot play any type of disc, although it is enabled & working properly in device manager. My Zone Alarm firewall is o.k. now. I will switch off restore as you say, but from what I have read in your forum you should always leave it on, especially since it will not solve the whole problem. I have enclosed a hijack this log file for you to look at. Thank you.Logfile of HijackThis v1.99.1
Scan saved at 10:34:22, on 11/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://uk.downloads.yahoo.com/internetexplorer/welcome.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe "
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk.disabled
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Google Updater.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=www.packardbell.co.uk/center
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151870184587
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152085602824
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A55D50F-E0A2-4385-8F6A-EACECBF213F1}: NameServer = 212.139.132.53 212.139.132.52
O17 - HKLM\System\CS1\Services\Tcpip\..\{4A55D50F-E0A2-4385-8F6A-EACECBF213F1}: NameServer = 212.139.132.53 212.139.132.52
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

regards onefinger

 

Latest update on my problem. I downloaded the free version of the AVG Antivirus, updated it & performed a full system scan. The new scanner picked up nothing, but every time it passed an infected file, my Resident avast scanner found it & I successfully removed each one to virus chest (my Resident is set to high). I ended up with 10 of the P Skill E Tool Malware in my chest, which I successfully deleted. Next I opened my Packard Bell Smart Restore & there it was, the same malware found by my resident avast, immoveable it seems. My DVD-Rom drive still not working. Any ideas anyone?

 

The reason I suggested to turn off sys restore is I'm fairly certain there is no threat to be concerned with.

I'm not familiar with how the Packard Bell software works, but it seems to be similar to system restore, but on a disc? If that's the case, those files must have been included as part of the software and it may not operate properly if you remove them entirely.

I found this perfect explanation about the files here:

The reason your avs cannot remove it is because those folders have very restricted access.

Worse case scenario, just add system restore to the 'ignore' feature if that's available on the av scanner.

And I doubt any of these files have anything to do with your drive. At that age, it's possible it just needs replacement. Try uninstalling its drivesr and reinstalling them, or checking for any newer drivers

 

Re: P Skill E Tool Malware & delcab virus.

Hi Te Merc,
Thank you very much for your replies to my query. I see your point about the P Skill E Tool not being a malware at all. It does seem like a valid point, one small problem though, why does the delcab virus try to start up in my registry every time I try to delete one of the above mentioned malware/tool? The delcab, from deltreew exe. is a virus, according to the internet; why is it not detectable by any scan I do & why is it starting up from the P Skill E Tool.
I have tried to uninstall drivers for my DVD-Rom, but there is no option for this in device manager, only rollback driver or uninstall device. I cannopt find drivers to update this device anywhere on the internet, too old I suppose. My Packard Bell Smart Restore, doesn't have the DVD-Rom on it's list to reinstall & even if it did you need to play the installation disc on that drive to reinstall it. I seem to have become stuck on this problem. Can anyone help me on this problem please. I would lastly like to add that I think the staff of this forum are doing a grand job of sorting people's problems out, especially seeing as it is voluntary work. Thank you very much.
Regards onefinger.

 

I don't know where you read that 'deltreew exe' or 'delcab' are any type of virus or threat, I sure can't find anything about it to say it is. A couple of people say it references your Smart program tho. Once again, I do not beleive this is a threat.

You mayy have to start a thread over in the hardware forum for that one.

 

Re: P Skill E Tool Malware & delcab virus.

hi again TeMerc
I read about the delcab & dltreew exe. on the Stronghold website, they are advertising their Swordfish ativirus to get rid of it. I downloaded & tried it & as mentioned above; it came up with numerous trojan horses, worms, malware etc. some being found in my Kapersky Files, a piece of software I have never had. I didn't trust it & have now deleted it from my computer. Thanks for your comments again.
from onefinger.

 

Glad we could be of assistance.

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom


Due to resolution this topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.