Dial/Egroup.L

[Xerses]

Hi,

I am trying to correct an issue in a friend's computer and I am stumped for the first time! When the computer boots the Forticlient anti-virus detects a Dial/Egroup.L virus in several folders. Internet does not work, the network has limited or no connection according to Windows. The OS is Win XP Pro SP2 and when booting in Safe Mode, Internet is fine and there are no instances of the virus. Please help, here is the Hijack log.

Edit: Adaware SE does not fix this. Panda online scan sees nothing, Trend online scan sees nothing, Trend Anti-Spyware fixes nothing.

Logfile of HijackThis v1.99.1
Scan saved at 9:46:09 PM, on 12-Oct-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\rmon.exe
C:\Program Files\Fortinet\FortiClient\fmon.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Fortinet\FortiClient\fortiwf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Download\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.academie.ste-therese.com/...display&pid=12
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [FortiClient] "C:\Program Files\Fortinet\FortiClient\FortiClient.exe" /minimize
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\fortinet\forticlient\fortilsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/08ee5fe9...dxIE601_fr.cab
O16 - DPF: {68A2C3BD-7809-11D3-8ACF-0050046F2F9A} (AXELPlayer Class) - http://www.mindavenue.com/Downloads/...erAX_Win32.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Fortinet Service Scheduler (FA_Scheduler) - Fortinet Inc. - C:\Program Files\Fortinet\FortiClient\scheduler.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Edit: Sorry for posting in the wrong area before... bad newbie.

[Xerses]

Update:

I have pulled the infected hard drive and stuck it into my second computer. I ran a full virus scan on this drive with Fortinet Forticlient and it saw no virus, even though when the infected drive boots, the same AV indicates a virus (Dial/Egroup.L). I downloaded and installed AVG Free just for kicks. Turned off the Forticlient AV, scanned the infected drive with AVG and still no virus is detected!!! I am lost on this one.

Here is the Startuplist log.

StartupList report, 12-Oct-05, 9:32:53 PM
StartupList version: 1.52
Started from : C:\Download\StartupList.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Fortinet\FortiClient\scheduler.exe
C:\Program Files\Fortinet\FortiClient\rmon.exe
C:\Program Files\Fortinet\FortiClient\fmon.exe
C:\Program Files\Fortinet\FortiClient\FortiTray.exe
C:\Program Files\Fortinet\FortiClient\fortiwf.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Download\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Acrobat Speed Launcher.lnk = ?
Image Transfer.lnk = ?
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
Acrobat Assistant 7.0 = "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
ezShieldProtector for Px = C:\WINDOWS\system32\ezSP_Px.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
FortiClient = "C:\Program Files\Fortinet\FortiClient\FortiClient.exe" /minimize

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssstars.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan60.ocx
CODEBASE = http://housecall60.trendmicro.com/housecall/xscan60.cab

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://fpdownload.macromedia.com/get...irector/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/downlo...?1083851679164

[ICSScannerLight Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ICSScannerLight.dll
CODEBASE = http://download.zonelabs.com/bin/free/cm/ICSCM.cab

[CR64Loader Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\retro64_loader.dll
CODEBASE = http://www.miniclip.com/bestfriends/retro64_loader.dll

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeup...ntent/opuc.cab

[RdxIE Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\RdxIE.dll
CODEBASE = http://software-dl.real.com/08ee5fe9...dxIE601_fr.cab

[AXELPlayer Class]
InProcServer32 = C:\WINDOWS\System32\MindAvenue\AXELPlayer\AXELPlayer15109.dll
CODEBASE = http://www.mindavenue.com/Downloads/...erAX_Win32.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupdate.microsoft.co...928.7586689815

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: C:\Program Files\Fortinet\FortiClient\fortilsp.dll
Protocol #2: C:\Program Files\Fortinet\FortiClient\fortilsp.dll
Protocol #3: C:\Program Files\Fortinet\FortiClient\fortilsp.dll
Protocol #15: C:\Program Files\Fortinet\FortiClient\fortilsp.dll

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,774 bytes
Report generated in 0.062 seconds

[sUBs]

Please show me the exact message as displayed by Fortinet regarding the infection.

[Xerses]

Hi,

Here is a screen shot of Windows once it has finished loading.

[sUBs]

The files that fortinet reported looks like legitmate files. I suspect that fortinet may be giving you false positives. Let's do this..

For every file that appeared in fortinet's virus alert box (as in the pic).. go this website - http://virusscan.jotti.org
Submit the files for a comprehensive scan & then post the results back here.

[Xerses]

Hi again,

The jotti site shows no infections. It seems as though the solution was as simple as a bugged out Fortinet Forticlient AV. I uninstalled it and everything has returned to normal. The reason I am confused about this one is because I have this AV installed on 5 or 6 PCs and there are 2 that went buggy, the exact same problem. The last step will be to complete all Windows updates, defrag and reinstall the AV.

Curiously enough, both computers with this issue are on the same contract which I bought from Fortinet. 2 different activation keys, but bought on the same lisence. So now I have to see what happens with the reinstall. I will keep you posted. Thanks for your help.