Tech Support Forum - View Single Post

Sempurna · 04-25-2007, 08:50 AM

Hi ThePaper88,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s do this first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: Hgni_BHO - {888826A1-3C63-4687-8696-482FDBB129DF} - C:\WINDOWS\system32\hgni_ecol.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll
O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.

NEXT:

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\windows\system32\uvnx.exe
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\system32\hgni_ecol.dll
C:\WINDOWS\system32\msnhlp32.dll
Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
Click the red MoveIt! button.
Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.

NEXT:

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

C:\WINDOWS\system32\tmrsrv32.exe
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply together with a new HijackThis log.

Then please do the same as above for the following files:

C:\WINDOWS\system32\idleserv.exe

NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:

Run the CCleaner installer.
During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
Once installed, run CCleaner and click the Windows tab.
Select the following:
- Check everything under the Internet Explorer section.
- Check everything under the Windows Explorer section.
- Check everything under the System section.
- Check ONLY Old Prefetch data under the Advanced section.
Then, click the Applications tab:
- UNCHECK everything there.
Next, click the Options button, then click the Advanced button:
- UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

Save it to your desktop.
Double-click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT:

Please do an online scan with Panda ActiveScan:

Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
A new window will open... click the "Check Now" button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address.
Select either Home User or Company.
Click the big "Free Online Scan" button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
When the download is complete, click on "Local Disks" to start the scan.
When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please do an online scan with Kaspersky Online Scanner:

Click on Kaspersky Online Scanner.
You will be prompted to install an ActiveX component from Kaspersky, click Yes.
The program will launch and then begin downloading the latest definition files.
Once the files have been downloaded click on Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  Extended
- Scan Options:
  Scan Archives
  Scan Mail Bases
Click OK.
Now under select a target to scan:
- Select My Computer.
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save Report As button.
- In the File name: field, type kavscan.
- In the Save as type: field, select Text file (*.txt).
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:

The results report from OTMoveIt.
The reports from VirusTotal.
The log from the ComboFix scan.
The log from the Panda scan.
The log from the Kaspersky scan.
A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

04-25-2007, 08:50 AM	#3 (permalink)
Sempurna Analyst, Security Team Join Date: Sep 2006 Posts: 1,302 OS: Windows XP SP2	Re: Win32.Trojan.RX Hi ThePaper88, Welcome to Tech Support Forum! I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help. OK, let’s do this first. Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present): O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file) O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file) O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file) O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file) O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file) O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file) O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file) O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file) O2 - BHO: Hgni_BHO - {888826A1-3C63-4687-8696-482FDBB129DF} - C:\WINDOWS\system32\hgni_ecol.dll O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file) O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file) O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file) O2 - BHO: msnhlp32.msn_hlp - {EEFBE5D6-FEFF-4CB4-AA26-6A464090CB89} - C:\WINDOWS\system32\msnhlp32.dll O4 - HKLM\..\Run: [uvnx] c:\windows\system32\uvnx.exe Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked". Then please exit HijackThis. NEXT: Please download OTMoveIt by OldTimer: Save it to your desktop. Please double-click OTMoveIt.exe to run it. Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): C:\windows\system32\uvnx.exe C:\WINDOWS\sysrlb32.exe C:\WINDOWS\system32\hgni_ecol.dll C:\WINDOWS\system32\msnhlp32.dll Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste. Click the red MoveIt! button. Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply. Close OTMoveIt. Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see. NEXT: Please go to: VirusTotal At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file: C:\WINDOWS\system32\tmrsrv32.exe Click "Open". Then click the "Send" button at the top of the VirusTotal page. This will scan the file. Please be patient. Once scanned, copy and paste the results in your next reply together with a new HijackThis log. Then please do the same as above for the following files: C:\WINDOWS\system32\idleserv.exe NEXT: Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind. Please download CCleaner (freeware) and save it to your desktop: Run the CCleaner installer. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar". Once installed, run CCleaner and click the Windows tab. Select the following: Check everything under the Internet Explorer section. Check everything under the Windows Explorer section. Check everything under the System section. Check ONLY Old Prefetch data under the Advanced section. Then, click the Applications tab: UNCHECK everything there. Next, click the Options button, then click the Advanced button: UNCHECK : "Only delete files in Windows Temp folders older than 48 hours". Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit. CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system. NEXT: Please download ComboFix by sUBs: NOTE: In the event you already have ComboFix, this is a new version that I need you to download. Save it to your desktop. Double-click combofix.exe and follow the prompts. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. NEXT: Please do an online scan with Panda ActiveScan: Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page. A new window will open... click the "Check Now" button. Enter your Country. Enter your State/Province. Enter your e-mail address. Select either Home User or Company. Click the big "Free Online Scan" button. If it wants to install an ActiveX component allow it. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes). When the download is complete, click on "Local Disks" to start the scan. When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply. NEXT: Please do an online scan with Kaspersky Online Scanner: Click on Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, click Yes. The program will launch and then begin downloading the latest definition files. Once the files have been downloaded click on Next. Now click on Scan Settings. In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK. Now under select a target to scan: Select My Computer. This program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save Report As button. In the File name: field, type kavscan. In the Save as type: field, select *Text file (.txt). Save the file to your desktop. Copy and paste that information in your next post. Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. NEXT: Please REBOOT** your computer normally into Windows and post these logs in your next reply: The results report from OTMoveIt. The reports from VirusTotal. The log from the ComboFix scan. The log from the Panda scan. The log from the Kaspersky scan. A new HijackThis log. (You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software). Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted. __________________ Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support. Donation link for Tech Support Forum