scans OK...still problems--Hijackthis log

I apologize for the long post--a litany of misery--and also if I have posted this in the wrong place.

I'm having a heck of a time. I have a fairly new computer (less than a year old) and I have recently caught several viruses--the I-worm/stration.AEJ and several Trojanhorse Backdoor.Generic 3sw1.

I first noticed problems with programs freezing and/or not being able to be opened. When I realized I had virusesI ran AVG and supposedly these were healed. I encountered these in several places on my computer...through several sweeps. Then System Restore would no longer work.

I posted to this forum and on the newsgroups and following advice I turned off system restore, downloaded and installed a new version of AVG (7.5 Ewido?), a trial version of Panda AV, Windows Defender, A-Squared, as well as my old stand-bys of SpyBot and Ad-Aware.

I ran these programs over and over again doing deep scans and medium scans. According to all of them my system is clean.

But things are not back to normal or stable. Occasionally my dsl modem appears to be downloading or uploading when I am not on the net. Programs either fail to respond when I try to open them from icons on the desktop or in the taskbar "notification area" and when opened, sometimes freeze...randomly. I have Windows Security Updates turned on but Security Center says I do not...in system properties Automatic update is turned on (it was supposed to update last night, I don't think it did) and links to the Microsoft Update page do not work.

While typing this I tried to access AVG and the icon on the desktop did not work, computer stopped responding...wouldn't even shut down properly. Rebooting, it now works.

I need to know if I can repair Windows and/or fully recover from this and how to go about it.


Logfile of HijackThis v1.99.1
Scan saved at 5:13:32 AM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\ASUS\Asus Probe\AsusProb.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
E:\Acrobat\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE
C:\Program Files\Stardock\Object Desktop\cursorxp\CursorXP.exe
C:\WINDOWS\cliptray.exe
C:\WINDOWS\Deskmenu.exe
C:\Program Files\KeirNet\K9\K9.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
c:\program files\panda software\panda antivirus 2007\WebProxy.exe
C:\WINDOWS\system32\wscntfy.exe
D:\extract\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.monarchcomputer.com/search/main.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.monarchcomputer.com/search/main.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.monarchcomputer.com/search/main.php
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\acroread\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Acrobat\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Acrobat\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate "
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Asus Probe\AsusProb.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Acrobat\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\Stardock\Object Desktop\cursorxp\CursorXP.exe
O4 - Startup: cliptray.lnk = C:\WINDOWS\cliptray.exe
O4 - Startup: Deskmenu.lnk = C:\WINDOWS\Deskmenu.exe
O4 - Startup: Launch K9.lnk = C:\Program Files\KeirNet\K9\K9.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\acroread\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Acrobat\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Monarch - {EF754947-2070-4C37-8985-5A0DFAB65053} - http://www.monarchcomputer.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.monarchcomputer.com/search/main.php
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1162817903265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O20 - AppInit_DLLs: wbsys.dll e1.dll winmfaul.dll diagdss.dll statdss.dll
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: dssconf - C:\WINDOWS\SYSTEM32\cfgdss.dll
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: uxthwmer - C:\WINDOWS\
O20 - Winlogon Notify: WBSrv - C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: IconPackager Repair - {1799460C-0BC8-4865-B9DF-4A36CD703FF0} - C:\Program Files\Stardock\Object Desktop\IconPackager\iprepair.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2007\pavsrv51.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Antivirus 2007\PsImSvc.exe

Thanks for help and thanks for the forum....

 

Welcome to the forum.

I see a couple of items which don't belong. Odd that the other av on board don't see anything, it's fairly obvious in the log.

Could you try and locate the following files, and run them through a scanner:
e1.dll
winmfaul.dll
diagdss.dll
statdss.dll

Go to http://virusscan.jotti.org , click on Browse, and upload them.

Then click Submit. Allow the file to be scanned, and then please copy and paste the results here for me to see.

Lets grab an online scan and also have you DL a stand alone scanner as well.

Please download the free MWAV antivirus tool from here:
ftp://ftp.microworldsystems.com/download/tools/mwav.exe
Save it to the desktop and run it. Follow the prompts to scan your system for viruses. Then please post for me the log of infected files from the BOTTOM panel of the scan window.

Please go Trend Micro to run the Trend Microâ„¢ HouseCall Scan.

• Click Scan now. It's free!
• Read and put a Check next to Yes I accept the terms of use.
• Click the Launching HouseCall>> button.
• If confirmed that HouseCall can run on your system, under Using Java-based HouseCall kernel click the Starting HouseCall>> button.
• You may receive a Security Warning about the TrendMicro Java applet, click YES.
• Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.
• Please be patient while it installs, updates, and scans your system.
• Once the scan is complete, it will take you to the summary page.
• Under Cleanup options, choose clean all detected infections automatically.
• Click the Clean now>> button.
• If anything was found you may be prompted to run the scan again, you can just close the browser window.

 

TeMerc,

Only e1.dll was found on my system.

From http://viruscan.jotti.org:

File: e1.dll
Status:
INFECTED/MALWARE
MD5 4ef8376b9cdb3c1f03a209c35423d2a8
Packers detected:

Scanner results
AntiVir Found Worm/Stration.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Win32.HLLM.Limar.based
F-Prot Antivirus Found W32/KillAV.gen1
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found Trojan.Opnis.Gen.13
VBA32 Found MalwareScope.Worm.Warezov.1

===============================

Mwave would not DL in anything less than 2 hours and counting. I have a fast dsl system and I was getting 1.5kps using CuteFTP and .35kps using Mozilla. I passed on that one.

====================================

Trend Micro found:

Worm_Strat. dr
Spyware_trak_msnmonitor
Adware_fasterxp
Tspy_analogxproxy

It got rid of everything but the worm. I guess I will try to remove it manyually but when I went to print out the results I couldn't get it to print. So I rebooted and am running Trend Micro again. Although it seems to be hung now...no activity on the modem nor at the bottom of the screen

Thanks for your help, interest and ongoing attention.

 

Here is another option for you to try, another scanner.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: (IMG:http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif)
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
(IMG:http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif)
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.

 

TeMerc,

thank you for your help. Here's what ended up happening.

Somewhere, somehow, something caused many of my windows files to become corrupt--to the point where I was having real problems with the computer crashing. I decided to trry to eliminate all viruses and trojans and spyware and then repair my windows installation. With the help of Trend Micro and the other programs you recommended I managed to get to a state where no malware nor viruses were detected. I then began the repair. It was a struggle. I ended up having to load chipset drivers and repair from the repair console. but I finally got it done.

The minute I got back up and running, I noticed the lights flashing on my modem like crazy--one of the issues that made me suspect problems in the first place. Then I got your last post. I DL'd Dr Web and ran the quick scan and it found five instances of the win32/hllm.limar virus--an alias for the stration worm I believe.

I cured those viruses and then contacted the people that provide dsl service and the dsl modem. I asked if the modem itself could have become infected and was told "YES." I ended up doing a firmware upgrade on the modem and despite assurances that there was indeed a hardware firewall (and I was running Windows firewall) I DL'd and purchased Zone Alarm pro.

Since setting that up, I have scanned for malware and viruses and I am clean and...

My modem lights don't blink furiously anymore unless I am deliberately DL'ing something.

I think I am OK now and I post all this both to thank you and to alert others who might be in a similar situation. Bottom line is that I relied on the hardware firewall and windows firewall and neither are good enough.

Thanks again.

 

Glad you were able to get things sorted out.

One thing I may point out tho, regardless of any firewall, hardware or software, those worms propagate and spread when people open emails from unknown sources.

Yes, a good fw such as ZA would have alerted you sooner to any outgoing information, but opening en email is likely how you got infected. So your best line of defense is to simple not open any email which you are not 100% sure of the source.

Btw, I'd also be sure and change all your passwords with any financial institutions you do business with online. I'd also alert said institutions to be on the look out for any unusual activities on your accounts.

Below we'll also add our recommendations for other security applications.


Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL the apps below, which are just as good the fight against ad/mal/spyware as AdAware & Spybot S&D:

SpywareBlaster
With SpywareBlaster v3.5.1 , just DL, install and check for updates, enable Internet Explorer protection, and your done! I don't recommend using IE restricted sites protection as it's not a very large database. Use IE-SPYADs below.

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being inserted to start up on your machine install WinPatrol v10.0.5.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

Links for tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

You can also see my own ongoing security testing with all the above apps proving how securely you can safe with them installed.
TeMerc Test Box Forum

Happy surfing!!
Tom