Problem with Win32:Trojan-gen.

I took notes in a Notepad file throughout the process, so my apologies in advance if all of this seems a tad disoriented. I've spent all day working through the steps in the READ AND RUN ME FIRST sticky thread.

Laptop specs:
Windows XP SP2
Dell Inspiron 6000
Intel Pentium M 1.60 GHz, 2GB RAM

I'm a little embarassed about this - I'm very rarely this much of a dope with computer stuff - but I clicked on the link in a suspicious "here are some pictures of us!" message in an AOL Instant Messenger window, without thinking. Before I could react, a .PIF file with a name I cannot remember was downloaded and apparently installed. My computer started opening up multiple IM windows and apparently trying to IM everyone on my buddy list.

Other symptoms: advertisment popups now appear at random, claiming to originate from a "Zeno search assistant". Also, every time I start the computer, I get several virus alerts from avast!, almost all of them identifying the virus as Win32:Trojan-gen. {UPX!} and appearing in various files, the most often appearing to be C:\windows\system32\ows_32.exe or c:\windows\system32\ows_32.dll.

Attempting to repair files with avast! gave me a message that the file was being used by another process. Attempting to move them to the virus chest usually gave me the same reply. I've just been selecting "Delete" with the option to delete at next restart turned on, because that's the only one that goes through other than ignore.

When I began to use the steps in the sticky thread, I noticed many obvious spyware programs in Add/Remove Programs, and deleted all I could. A few returned - particularly the "Zeno search assistant", which I deleted twice and had it return both times.

I went through all the programs in the sticky thread - each program found various different bits of spyware (I haven't done a deep spyware check in a long time on this computer) but all problems that were found appeared to have been fixed.

The first time I ran BitDefender, it found several problems and fixed BUT I couldn't get a log - the program hung up on the "E:\" drive, which is a virtual drive spawned by DaemonTools, after finishing the scan of the C:\ drive. It wouldn't let me get a log or close it; I had to CTRL+ALT+DEL just to shut down the IE window. So, I ran it again - the results of the second scan are in the attached log.

BD appears to set off some alarms - just as it detects some of the infected files, avast! gives me the "ows_32.dll" virus detected warning. Perhaps I should have disabled avast! during the scan? The log is attached, in any case.

Every time I attempt to use Panda, it gives me an error just after it finishes trying to update its virus database about being unable to finish the install.

I have also attached a HijackThis log, which I just created after all of the other scans were complete.

I hope I'm not forgetting anything. I'll have another go at the Panda program and come up with some specific error message information if I can. Your help would be greatly, greatly appreciated.

 

Welcome to MajorGeeks.com!

Please see the below thread on how to install and run Spy Sweeper.

• Running Spy Sweeper...

 

Spysweeper log and new HJT log attached.

 

Please see the below thread on how to install and run Ewido Security Suite.

• Running Ewido Security Suite ...

 

Ewido and fresh HJT logs attached.

 

Please download ADS Spy, save to your desktop.

Once you have downloaded this utility, extract the contents and double click "ADSSpy.exe" to run the utility. Once the utility has loaded, make sure the first 2 boxes are checked. Now click ""Scan the system for alternate data streams" and remove any that are found.

After you complete the above, reboot and attach a fresh HJT log.

 

The ADS scan returned 0 results.

Also, after running the Ewido scan the symptoms appear to have disappeared, at least for the time being. No alerts from avast!, and AIM appears to be working perfectly.

In any case, fresh HJT log attached.

 

Please download Virtumundo Begone

• Save the file to your desktop.
• Close all running programs (including your Internet Browser)
• Double-click VirtumundoBeGone.exe on the desktop.
• Read the introductory information, and then click Continue
• Click Start
• When asked if you want to continue, click Yes to run the fix
• Click "Save Log"
  • Note: It is normal for the the fix to terminate by producing a BLUE SCREEN OF DEATH so don't be concerned when this happens. It requires you to manually reboot to restore your normal windows desktop.
• After you have completed the fix, reboot and attach the log from the scan. It will be located on the desktop called "VBG.TXT". Attach this log with a fresh HJT log.

 

VBG and fresh HJT logs attached.

 

Please look in Add or Remove Programs for the following and Uninstall them if found:

Ewido

Spy Sweeper

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {63BC34EB-FA22-D2D9-5C95-F14A32FFA9CE} - C:\WINDOWS\system32\zthuqne.dll (file missing)

O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab

O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate Local Security Authority Subsystem Service (lsass) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

Next, run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

And Click OK.

After you complete the above, REBOOT and proceed with the rest of this fix...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

All the steps went very smoothly. As of the moment I'm not experiencing any sort of suspicious activity or problems on the computer.

Fresh HJT log attached. Thanks a lot for all your help through this!

 

Your HJT log is clean, are you having any further problems?

 

No problems anymore. I think everything's been cleaned up.

Thanks a lot!

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!