Semi bad virus trouble + Highjackthis log

[tal ormanda]

They keep poping up in IE, I scaned with Ad Aware SE and kaspersky, but anything specific to stop them?

Logfile of HijackThis v1.99.1

Scan saved at 4:41:43 PM, on 12/26/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\AIM\aim.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe

C:\Documents and Settings\Brandon Randolph\Desktop\Anti Virus\winvnc.exe

C:\Program Files\Hamachi\hamachi.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

C:\Documents and Settings\Brandon Randolph\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/library/app/fee...2882833CAE9AB32

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll

O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll

O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice

O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tpgtrypr.dll",setvm

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll

O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1167167639968

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe

O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe

O23 - Service: WMP54GSSVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe" "WMP54GSv1_1.exe (file missing)

O23 - Service: WMP54Gv4SVC - Unknown owner - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe" "WMP54Gv4.exe (file missing)

Edited December 26, 2006 by tal ormanda

[prx984]

It looks like a popup really, although, it's more than likely its some kind of virus. If kaspersky isn't finding it, you may want to try some other virus program. I'm not too familiar with Kaspersky.

Try disconnecting from the internet and see if they persist. It really looks like adware.

Edited December 26, 2006 by Cygnus

[Tarun]

There is nothing apparent that is malicious in your log. Have you run anything else besides Kaspersky and Ad-Aware?

[tal ormanda]

Its on my friends computer, and no. I will I guess though, I did spybot now that I think of it. I am doing it remotely.

[LLXX]

There is nothing apparent that is malicious in your log.

O RLY? Look again.

Hint: The rundll32 entry with the random DLL name.

[nitroshift]

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\tpgtrypr.dll",setvm

That's the culprit. Just delete it and see if the popups still appear.

[tal ormanda]

How do you guys know whats bad lol? Do you just want me to delete it from the highjack this program? Any way to back up that file just in case?

Edited December 27, 2006 by tal ormanda

[Tarun]

Start > Run > cmd

cd %Windir%/System32

del tpgtrypr.dll

If this file refuses to delete, use HijackThis to delete the file at next boot or use Unlocker.

[Camarade_Tux]

Before deleting it, try Start -> Run -> regsvr32 /u tpgtrypr.dll

It may help delete it.

And we find suspect because

-they have random names

-are in WINDOWS or SYSTEM32 but are not usual entries (experience)

-if you browse to them in explorer and take their properties, they don't have any : no author, no detail, nothing which is never the case with MS files and rarely the case with other legit files

[LLXX]

- Most processes are not DLLs and do not start from RunDll32.

Those that are, are well-known.

Edited December 28, 2006 by LLXX

[tal ormanda]

I'll do that next time he gets on.

[tal ormanda]

Didn't work

[[deXter]]

Open Regedit.

Head over to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

In the right pane, right click and create a new Multi-string value and name it PendingFileRenameOperations

Edit it and type

\??\C:\WINDOWS\system32\tpgtrypr.dll

Edit: Or Run this file: remove_tpgtrypr.dll.reg ( 782bytes )

Also, download and run Autoruns.exe in

http://download.sysinternals.com/Files/Autoruns.zip

Press "Escape" to stop scanning.

Goto Options -> Hide Microsoft Entries

Press F5 or Refresh to restart the scanning. Now you'll know all non-default programs that are loaded on startup. Delete all suspicious entries.

Reboot.

remove_tpgtrypr.dll.reg

Edited December 29, 2006 by [deXter]

[tal ormanda]

Can I delete all the ones where the file is not found?

In the IE section there were .dll files which when googled, had no results. Can I delete these?

Under Browser Helper Objects:

kpbutpjot.dll

fjewgcqt.dll

yrhafajb.dll

bvolg.dll

Edited December 29, 2006 by tal ormanda

[Tarun]

No, only delete this one entry:

R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)

The others are protected and that is why they show up as file missing.