Member Panel

madmal · 11:18 AM

Hi guys, it seems that my notebook is infected

Trend Micro alerts me that the uncleanable infected file is: c:\windows\inet20010\alg.exe
Virus name: Troj_chophar.a, troj_adload.s and troj_dropper.up

Trend Micro also alerts me that outgoing mail is also being sent.

Winlogon.exe is constantly tryin to install a BHO.

My computer keeps restarting as well.. so before it does that again, here is my hijackthis log.

Thanks to anyone who can help.

**Admin Edit - please read the rules about posting logs**

joe5

Hya Madmal , welcome to PCHF.

First of , please dont start double topics , second , lets get rid of those buggers.

Before fixing things with HijackThis Please Do the Following:

Show hidden files and folders:

For XP:

On the Tools menu in Windows Explorer, click Folder Options.
Click the View tab.
Under Hidden files and folders, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

Disable System Restore to prevent re-infection.
(If you have/use it. You can turn it back on when youre PC is clean).

How to disable system restore:

WinXP.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.

Please download CCleaner

Please download Process Explorer by Systernals from HERE.

Also download KillBox by Option^Explicit from HERE.

I see you have Trend Micro Internet Security and AVG free AV installed , i would remove the AVG since two AV's can cause conficts and performence issues , and AVG is free and only an AV.

Then boot up in SAFE MODE and stay in safe mode (hit f8 when booting up), untill the entire fix is done.

Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Exlporer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of msupdate32.dll once and then click the kill button.
After you have killed all of the msupdate32.dll 's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of msupdate32.dll then click the kill button.
Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following:

F3 - REG:win.ini: run=C:\WINDOWS\inet20010\services.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20010\services.exe
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll

Now click fix checked and close HijackThis.

Delete the folder in bold , and run Ccleaner.

Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box:

C:\WINDOWS\SYSTEM32\msupdate32.dll

Click the red circle with the white x and allow your computer to reboot.
(if killbox doesn't reboot on its own then please reboot manually)

After your computer has rebooted please run Hijackthis again and post a new Hijackthis log.

I would also disable the windows Messenger service:

Please download Shoot The Messenger

Download and run the small (22 kbyte) "ShootTheMessenger.exe" utility. It will display the current status of your system's Messenger Service. The button near the bottom of its window will allow you to set the service to whichever state ? running or disabled ? that you desire.

If, for any reason, you should ever choose to re-enable the Windows Messenger Service, simply re-run ShootTheMessenger to do so.

madmal

Hi Joe,

Thanks for the help. I am posting a new HJT log file for your view.

madmal

madmal

Hi Joe,

Didnt manage to attach the HJT log file previously. Attaching it here. Thanks.

madmal

joe5

Looking good.

All the bad stuff is gone.

But i see you've kept AVG free AV and removed Trend Micro Internet Security instead , no prob if you want that ofcourse , but now you dont have a firewall anymore. Thats not a good thing.

You could have a look in our download section for free firewalls if you like.

And do you still have any problems with youre pc?

madmal

Hi Joe,

I have already removed AVG and installed norton anti virus. Strangely enough i am getting a lot of emails blocked by norton being sent out to email addresses that i have never seen. I think I am still infected.

As usual here is my latest HJT log file again.

Regards,

madmal

joe5

I dont see anything wrong in youre log anymore , but just to check , you know and use these two apps?

C:\Program Files\Waktu Solat\waktusolat.exe
O4 - HKCU\..\Run: [WaktuSolat] C:\Program Files\Waktu Solat\waktusolat.exe

C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe

And can you run a Panda active scan and post the log from it:

http://www.pandasoftware.com/product...ACHEHINT=Guest

And a spysweeper scan , and also post the log from it please:

Please download and install the trial version of Webroot SpySweeper.

http://www.webroot.com/shoppingcart/...011&vcode=DT02

When SpySweeper starts, please accept any prompts to update definitions.
Configure it as follows:
From the left pane, click Options
Select the Sweep Options tab & ensure the following are ticked:

*Sweep Memory
*Sweep Registry
*Sweep Cookies
*Sweep All Users accounts
*Do Not Sweep System Restore Folder
*Enable Direct Disk Sweeping
*Sweep contents of compressed files
*Sweep For Rootkits

-After that's done, select Sweep from the left pane & click on the Start button

Allow Spysweeper to reboot your machine to remove the infected files.
After rebooting, launch SpySweeper & select Results from the left pane
Click the 'Session Log' tab & choose Save to File to create a log.