TechSpot

virus attack on my computer - hjt log

By chipopo
Aug 22, 2007
Topic Status:
Not open for further replies.
  1. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    All items in your AVG Antispyware log say"No Action Taken". This is because you need to tell AVG Antispyware to quarantine its results. See HERE.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Windows System Update Tools
    Auto File System Conversion Utility
    Windows Logon Application

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    scricon.exe
    logon.exe
    upds.exe
    hlamavdc.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe

    O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe

    O4 - HKLM\..\Run: [Windows System Update Tools] upds.exe

    O4 - HKLM\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe

    O4 - HKLM\..\RunServices: [Windows System Update Tools] upds.exe

    O4 - HKLM\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe

    O4 - HKCU\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe

    O4 - HKCU\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe

    O4 - HKUS\S-1-5-18\..\Run: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User 'SYSTEM')

    O4 - HKUS\S-1-5-18\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe (User 'SYSTEM')

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\system32\scricon.exe
    C:\WINDOWS\system32\hlamavdc.exe
    C:\WINDOWS\System32\wbem\scricon.exe
    C:\WINDOWS\System32\logon.exe
    C:\WINDOWS\System32\upds.exe

    Also, search your system for upds.exe and delete all instances found.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT, Combofix and AVG Antispyware logs from normal mode.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  2. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    none of the mentioned services were there.
    none of the processes were found.
    all of the HJT files were found and fixed.
    these two files -
    C:\WINDOWS\System32\logon.exe
    C:\WINDOWS\System32\upds.exe -
    were not found. the rest got deleted.
    found only one UPDS.EXE-3739ce40.pf - i deleted it.

    oh ****! i just noticed that you keep writing any bold files - i'm pretty sure i deleted some blurred ones.
    is that so bad? is there something to do?
  3. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I simply put the files I want you to delete in bold type, so there can`t be any confusion lol.

    Your AVG Antispyware log still says "No Action Taken" for all items.

    You reall do need to follow the instructions HERE for using AVG Antispyware.

    The rest of your logs are now clean.

    Run a fresh AVG Antispyware scan after following the instructions and post the log. Please note: If all items say "Ignored" or "No Action Taken", you`ll need to run it again until you get it right.

    Regards Howard :)
  4. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i need to go

    that really was funny wasn't it...:eek:
    i think i did run the scan correctly but i'll try it again anyhow. only i will be able to continue this only 24 hours from now cause i need to go offline right now.
    meanwhile i'm attaching some update message i keep getting and the last time when i finally decided to click on update i got the shutdown message.
    about the avg report, i know it says no action taken but i did what the guide said step by step (btw i did it correctly all along). i have no idea what's going on there.
    see ya in 24
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    dvdupgrd.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\dvdupgrd.exe

    Reboot your system and rehide your protected OS files.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  6. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    hi howard,
    i killed the process and rebooted but it's still there. for some reason it shows on msconfig > startup - should i uncheck from there too?
    what about the rest of the problems, do you think they're gone? startup is still taking a long time...

    ok, now i'm pretty sure it's not over yet. i tried openning outlook express and got an error message that another instance of it is running (there wasn't), tried again and nothing happened.
    got the nod32 warning again (a.bat) and also a new one -

    File: C:\system32\TFTP374
    Threat: a variant of Win32/Rbot trojan
    Comment: Event occured on a new file created by the application: C:\WINDOWS\system32\tftp.exe. The file was moved to quarantine. You may close this window. Please submit the file to ESET for analysis.

    it's definitely still here.
    the pc froze just now so i had to restart it. twice.
    and i keep on getting those warnings from my av.

    i didn't have patience so i unchecked it from startup but guess what? the window popped up again.

    the two lines missing on the bottom of the attachment are:
    microsoft office c:\progra~micr... common startup
    DVDUpgrd DVDUpgrd.exe /async SOFTWARE\Microsoft\CurrentVersion\Run

    and that's what i see when i click on 'for more details'.
    besides that everything is the same, including that annoyind dvd upgrade window.
  7. rahul_intlad

    rahul_intlad TS Rookie

    Have you corrected this,could you post the anti-spyware log again.
  8. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i don't know why the log says that. i did everything just like was written in the guide. but i'll try it again anyway.

    here's the report.
  9. rahul_intlad

    rahul_intlad TS Rookie

    This time round the anti-spyware did its job.You may want to have a look at this

    Did not see any firewall in your HJT logs,are you not running a firewall.
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I`m seriously thinking it might be time to consider a format, as every time we kill the nasties, they just keep coming back.

    What is the state of your system at present?

    Post fresh log files if you want.

    Regards Howard :)
  11. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i'm afraid you're right

    i was gone because rahul was right and i didn't have a firewall installed. so i installed Zone Alarm and from that point i just couldn't stay in windows for more than a few seconds after the system started up. what was more problematic as far as i'm concerned is that as soon as i connected to the net the whole computer froze so i couldn't get help here or anyware else.
    after a few tries and after i remove ZA from startup and also ran a few scans with some programmes i tried logging on with windows again but the problem remained.
    so now i'm writing from a different computer and i also think of formatting. is there any guide here for doing this right so i wouldn't have the same problems again (after all the computer was just formatted)? is there also a guide that tells what i should do in order not to lose important things when i reinstall - such as mail and contact lists ? i would appreciate it if someone could post an answer soon because i won't be near this computer for more than a few hours.
    Howard, thanks for all your time and help - i really appreciate it.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Follow the instructions below for what should be a trouble free reformat and reinstallation.

    You need to do the following.

    Diconnect from the net and don`t reconnect, until you have your firewall software installed.

    1 Restart your computer and go to setup usually by pressing the F2 or delete key.

    2 Once you get into setup look for the boot menu and make sure you set it to boot from cd first followed by your hard drive.

    3 Put the Windows xp disk into your cd drive.

    4 Now save your settings and exit setup.

    5 While your computer is booting you will see a message that says "press any key to boot from cd" press any key.

    6 When the welcome to setup screen appears press enter and then press F8 to accept the Microsoft licence agreement.

    7 You will be prompted to repair an installation press the escape key.

    8 Now select the partition that you want to reformat and press the D key to delete it you will be asked to confirm that you want to delete the partition.

    9 Now press C to create a brand new partition you will be asked what size you want the partition to be in mega bytes. If you just press enter then the partition will be the maximum size that you can have. This is perfectly ok if you don`t want to create multiple partitions.

    10 You will now be asked to format the partition select the ntfs file sytem and do a full format.

    11 Once the format is complete setup will continue.

    Your computer will restart during the remaining setup again you will be asked to press any key to boot from cd DO NOT PRESS ANYTHING and setup will continue. Once the setup is complete and you are back in Windows remove the Windows cd from your cd drive.

    Install your firewall software and reconnect to the net. Install whatever drivers you need, then run Windows updates.

    Finally, install whatever programmes/software you want.

    Regards Howard :)
  13. rahul_intlad

    rahul_intlad TS Rookie

    Do update us on your system,sorry the firewall thing lead to a disaster but remember always use firewall+antispyware+antivirus+latest updates[including windows] and you can avoid most problems
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    I should`ve said, that Zonealarm can cause serious problems such as chipopo described on some systems/configurations.

    The alternative is to try another firewall programme, such as below.

    Kerio or Comodo free firewall programmes.

    Regards Howard :)
  15. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i'm still alive

    believe it or not guys i'm writing now from my computer and only now i saw your posts.
    when i got home i tried to start windows and connect to the net so i could see if you responded but of course the machine completely froze even before i got the connection window opened.
    so i decided to try another repair installation, which i just finished doing, and guess what? at least for the past five minute everything is fine (exept that annoying dvd update window).
    i do need to say that for some reason avant browser wouldn't let me open any web page so i'm using internet explorer now.
    now about this installation thing, i didn't exactly understand is this a regular procedure of formatting and installing or will i be able to keep all of my files safe? what about contacts and e-mails - should i have them backed up?
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Formatting will wipe your hard drive and therefore, you should backup any important data before hand.

    Regards Howard :)
  17. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    since the computer works much better now (as far as i can see there's only that update window and the slow startup), i'm going through all the steps written here again. maybe this time we'll try to fix it.

    oops, i didn't see your post. do you think it's useless to try again? if so, tell me and i won't waste my time.

    howare, are you there? this online scanner - trend micro - found a whole lot of vulnerabilities on my pc. how can i show you the report? can you guide me what to do?

    i installed comodo firewall.
    everytime i restart the computer i get requests for mdm.exe, upds.exe, and NSecurity.exe to connect to the net. i denied the request. in the logs it can be seen that these 3 keep trying all the time to access.
    did i act correctly?

    hello again.
    i just finished the online scanning and cleaning. i got a message that it can't fix some of the problems, here's information about the two files:
    1. BKDR_VANBOT.HM - the filename is C:/WINDOWS/system32/upds.exe
    2. WORM_SDBOT.FOZ - the filename is C:/WINDOWS/system32/mdm.exe
    the reason given was: "the current pattern does not support cleanup".
    what should i do? delete them manually?

    i just followed the instructions and for the past few hours i'm downloading and installing patches for windows. there's only a problem with updates for outlook express (says that it's not installed) but i'm leaving that to the end - i'm not even past half...

    what used to be the dvd upgrade window looks now like this (i think this is it). it's still annoying but for some reason, a bit less.
  18. rahul_intlad

    rahul_intlad TS Rookie

    You need to find the source of this malware on your post-format system,did you get the back-up data scanned as well.

    Wait till howard has his say but somehow I get a feeling that your system is not clean yet,meanwhile try repeating http://www.techspot.com/vb/post490806-30.html
  19. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    i think you missed it (or maybe i didn't say it clearly) but i didn't format. i'm trying to avoid that action as it causes too much trouble for me afterwards getting all my programs back.
    where is Howard anyway? i hope he didn't give up on me...

    meanwhile i finished this online scan and everything but those two files i mentioned earlier was taken care of. they just won't get deleted (via that programme anyway).

    i also did what you said, rahul, and this time i found the dvdupgrd.exe file (though not the process) and deleted it. now i'll restart and see what's new and continue with the rest of the steps on the guide.
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Sorry chipopo, I`ve been extremely busy.

    Try the following.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    upds.exe
    mdm.exe

    Close task manager.


    Click start/run and type regedit into the run box and press the enter key. When the window appears maximise it. Click file/export and save a copy of your registry to wherever you want.

    Click edit and choose find. Type upds.exe into the dialogue box and click the find next button. Regedit will now search your registry for any entries that contain a reference to upds.exe and display them in the righthand pane. Right click on any such upds.exe entries and choose delete.

    Now click edit again and choose find next. Again, delete any entries that reference upds.exe.

    Repeat the above, until no more upds.exe entries are found.

    Repeat the above for mdm.exe.

    Then Delete the following files.

    C:/WINDOWS/system32/upds.exe
    C:/WINDOWS/system32/mdm.exe

    Reboot into normal mode and rehide your protected OS files.

    Let us know the results and how your system is running.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  21. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    let's move on

    no need to apologize - i'm glad you're back :)
    i'm getting to what you wrote right away but do you think i need to continue through all the steps on the guide or it's not important anymore?

    ok, mdm and upds taken care of. i deleted all of their registry entries and deleted the files themselves from WINDOWS/system32.
    do you have any idea what NSecurity.exe is?
    and another thing it's already two times that i get this 'application error' message.
    as for the rest of things:
    1. startup is still taking very long.
    2. the computer is a bit slow.
    3. the dvd upgrade window (the new, blank, version) still pops up.
    4. also check out the windows components list (partial) - does this make sense?
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You can post fresh HJT and AVG Antispyware logs in your next reply.

    I must warn you, that if this doesn`t work, I recommend a reformat as the only surefired way of dealing with this.

    Regards Howard :)
  23. chipopo

    chipopo TS Rookie Topic Starter Posts: 62

    ohhhhhh

    are you sure we should give up just now? things were starting to get better...
    anyways here are the reports and (bonus) a message i got during the avg scanning. i deleted the fella.
    oh, i forgot something, some of my reply is in the previous post (i wrote it before you posted yours).
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Delete all files in AVG Antispyware quarantine.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Auto File System Conversion Utility

    Close the services window.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    scricon.exe
    NSecurity.exe

    Close task manager.

    Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

    O4 - HKLM\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe

    O4 - HKCU\..\Run: [Network Security] C:\WINDOWS\System32\NSecurity.exe

    O4 - HKCU\..\RunServices: [Auto File System Conversion Utility] C:\WINDOWS\System32\wbem\scricon.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{9DD88B08-30A9-4BB0-955F-6D58703CF85E}: NameServer = 192.117.235.235 62.219.186.7<Only fix this entry, if it doesn`t belong to your ISP.

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files and/or directories(if there).

    C:\WINDOWS\System32\wbem\scricon.exe
    C:\WINDOWS\System32\NSecurity.exe

    Repeat the regedit steps in my post above for scricon.exe and NSecurity.exe.

    Reboot into normal mode and rehide your protected OS files.

    Post fresh HJT and AVG Antispyware logs.

    Regards Howard :)

    This thread is for the use of chipopo only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. rahul_intlad

    rahul_intlad TS Rookie

    Chipopo have you performed a full system scan with Nod32[updated of-course] recently if not do that as well,because the trojan[in the above post] should have been detected by NOD32 during a scan.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.