[ymmas]

It seems I've this computer has been infected with this ->WIN32:Trojan-gen {UPX!}<- virus. I've successfully deleted a few of the files, but there 8 files that I cannot get rid of. These are the files:

c:\windows\system\iijouqg.tsd
c:\windows\system\dupmqfw.adr
c:\windows\system\pwdly.jkg
c:\windows\system\jjij.uyb
c:\windows\system\winsrv32.exe
c:\windows\system\s7captur.dll
c:\windows\system\icqpwsteal.dll
c:\windows\system\s7advanced.dll

These pesky files will not delete and I cannot figure out how to get rid of them. Any help would be appreciated.

Thanks,
Sammy

 

[Flrman1]

Boot to safe mode and delete them.

How to start your computer in safe mode.

Also please do this. Click here to download Hijack This. Click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.

*Note: When you download Hijack This Do Not download it to a temp folder or to the desktop. Create a permanent folder somewhere like in My Documents and name it Hijack This and put it in that folder.

 

[ymmas]

Okay, thanks. I got those pesky files deleted. Here's my Hijack This log:

Logfile of HijackThis v1.97.7
Scan saved at 9:58:12 PM, on 3/22/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVSYNMGR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\ATIPTAAA.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\POINT32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\WINDOWS\SYSTEM\3CMLNKW.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\SCANJET\PRECISIONSCANLT\HPPWRSAV.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\HP DESKJET 810C SERIES\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.chickendance.tk/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [ATIGART] c:\ati\gart\atigart.exe
O4 - HKLM\..\Run: [AtiPTA] Atiptaaa.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe
O4 - HKLM\..\Run: [TIPS] C:\PROGRA~1\MICROS~1\tips\mouse\tips.exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MICROS~1\point32.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [3Cmlink] C:\WINDOWS\SYSTEM\3cmlnkW.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2)(1)(1).exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 810C Series\ereg\Remind32.exe
O4 - Startup: .lnk = C:\My Documents\Messenger Service Received Files\PIC OF ME(1)(1)(1)(1)(1).exe
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .swf: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npswf32.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .aif: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .BMP: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38065.8764467593
O16 - DPF: ChatSpace Java Client 2.1.0.113 - http://www.forceacademy.com:8563/Java/cs4ms0113.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab

Am I clear? Or do I need to do something else?

Thank you very much,
Sammy

 

[Nok1]

O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2)(1)(1).exe

Thats an odd entry.. Unless you know what this is, it looks like you have a trojan...

 

[ymmas]

Okay, sooo... if it is a Trojan, then what do I do? How do I know if it's a Trojan?

 

[Nok1]

http://www.kaspersky.com/remoteviruschk.html

Click on that link, and browse to the file and submit it. Post back results.

 

[ymmas]

Here are the results:

Not found

Phrase to find: "C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2)(1)(1).exe"
Found: 0

 

[Nok1]

Hm. odd.. Flrman has more experience with this than me, he'll help you further.

Flrman:
Does that mean that the file cannot be found?

 

[ymmas]

Okay. Thanks

 

[Flrman1]

Run Hijack This again and put a check by these. Close all windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2)(1)(1).exe

Restart to safe mode and delete:

The C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(2)(1)(1).exe file

How to start your computer in safe mode.