1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice


By RocksOfSteel ยท 5 replies
Mar 2, 2008
  1. Hello Guys,
    I have a very nasty virus. Here's what it did:

    It attacked my AVG and turned it off and does not allow re-installation.
    Turned off my firewall and will not allow it to be turned beck on (Comodo).
    The PC will no longer start in Safe Mode...
    As soon as it sees HijackThis it attacks it (amongst many others) and prevents it from running. It does this by changing one byte near the begining of the file (0x4C changed to 0x00) The result is "This is not a valid win32 application" However by changing the name of HiJackThis_v2.exe to Jack2.exe it did not spot it and allowed it to execute. I've shown the log below.

    I removed the HDD and have checked it on other PC's with the latest anti-virus software, Mcafee, Sophos and AVG. Until today they found nothing but this morning AVG reports finding Downloader.Generic6.AKFS. I can find no info on this not even on the AVG website.

    Please help.

    Many thanks

    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 17:02:42, on 28/02/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Program Launcher\launch.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Program Launcher 95] C:\Program Files\Program Launcher\launch.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\OmniPage15.0\PDFConverter3\IEShellExt.dll /100
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
    O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: ntdsbcli32 - ntdsbcli32.dll (file missing)
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
    O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
    O23 - Service: Cadence License Manager - Macrovision Corporation - C:\Cadence\license_manager\lmgrd.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: DVD-RAM_Service - Matsu****a Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Flexlm (lmgrd) - Unknown owner - C:\Cadence\SPB_15.5\IntelliCAD 4\LicenseManager\lmgrd.exe (file missing)
    O23 - Service: PGPserv - PGP Corporation - C:\WINDOWS\system32\PGPserv.exe
    O23 - Service: PMService - Unknown owner - C:\Program Files\richcomm\PowerManagerII\PMService.exe
    O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe
    O23 - Service: VPOP3 Email Server (VPOP3) - Unknown owner - C:\PROGRA~1\vpop3\vpop3svc.exe

    End of file - 5941 bytes
  2. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I am not a qualified HJT log viewer
    But I do not see any issues (malware or otherwise) with your HJT log

    Regarding Downloader.Generic6.AKFS

    This trojan may be Win32/SillyDl.DNM

    Win32/SillyDl variants may download other trojans, or non-malicious programs such as adware. At any given moment in time, the program(s) it attempts to download may be changed or updated, or may be unavailable altogether. This family of trojans usually downloads using HTTP.

    In order to avoid SillyDl infections it is important to follow safe computing practices, such as keeping your Operating System and third party applications up to date and patched with the latest updates, and use an Anti-Spyware and Adware solution

    Risk Level 1: Very Low (Any AntiVirus Spyware program will do)

    And can be associated with: (Please remove these if found)

    Or possibly comming in through your email program Vpop3 Mail Server
    By the way, why are you using this email program?
  3. RocksOfSteel

    RocksOfSteel TS Rookie Topic Starter

    Yes, I couldn't see anything either that's why I posted it here for someone more knowledgeable to cast an eye over.

    AVG has managed to remove this problem. All "seems" well now.

    I do, I update AVG every night. And I install all the XP security updates as they apear.

    You may ask why I use AVG and not Mcafee or other main stream (paid for). Well AVG was the first of them to find the problem.

    Strange question. Why do we use any software, to make our lives easier?
    Ok, you asked so I'll tell you. I use VPOP3 because I have many email accounts and using VPOP3 is one way to collect them all together in one place and then filter to different users.

    Many thanks
  4. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Why I asked is because, most of these infections come through users mail programs. And some programs (ie Outlook as an example) have good spam and filtering control.

    Definately not. AVG is a world leader, and Grisoft, also offer some of the best spyware removing programs. I'd say stick with them. But you may want to include a good firewall too. (unless this is AVG Internet Security)

    That's great

    Thank-you too, I hope you are satisfied with the support :)
  5. RocksOfSteel

    RocksOfSteel TS Rookie Topic Starter

    Thanks, and yes the suport was great.

    I do use firewall software. I use Comodo and Kerio (on different PC's :) ) and am happy with both.

    What do you think of those two and would you recomend any others?

    Many thanks
  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    They're fine.

    But any firewall is only as good as the settings that have been entered
    ie Block all is perfect :)

    Anyway, have to go for a while.

    Please continue to use (and recommend) TechSpot to others
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...