Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible Malware infestation?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible Malware infestation?

Unread postby whitenoiz » December 18th, 2007, 1:57 pm

Hi, Good afternoon,
We are currently experiencing problems which may be related.
In the first instance we cannot access System restore or the System Folder on our computer; In the second instance our normally mediochre ADSL speed has slowed from around 56kbps, down to around a maximum of 10kbps.

We are running windows XP with service pack 2 installed.

When we try to run System Restore or access the System Files we get an error message which reads
"Run a Dll as an App"
Error signature
Event Type; BEX P1: rundll32exe P2 5.1 2600.2180 P3 41107dbc
P4smstr.dll P5 5.1.2600.2180 P6: 41109751 P7:0001ca8c
P8:c0000409 P9: 00000000

Over the last few days we have run Spybot S&D, Ad-Aware, AVG Spyware Removal, Rogue Remover. We have rebooted after each operation. we have also tried to use Trend Micros Housecall but because of our incredibly slow ADSL speed and after 4hours I was forced to give up this operation.

Back in September I downloaded a couple of nasties... 'ABetterInternet' and 'NoAdware'
These presented themselves in the form of a blood red wallpaper with repetious pop ups about spyware and adware and proved virtually impossible to remove. The infestation appeared to be only on my user page; other users of the computer did not appear to have been infected.

To get around the problem I opened a new user page and have used this ever since.
Following instructions from Symantec we tried to get rid of the problem their first instruction was to disbale System Restore which we did; we have been unable to access this evr since!

Spybot S&D shows the problem to still exist on the computer. I am told that the only guaranteed way to get rid of it is topurchase the software from the same people who infected us in the first place, but I have grave misgivings about opening any kind of dialog with these blackmailers..Who knows what other nasties they have up their sleeves...

Following runs with Norton, AVG Spyware and various other malware/adware removal programs we downloaded Hijack This and with the help of various authorities deleted those items which they declared to be problems.

The problem still exists and our ADSL speed appears to be falling by the day. Our phone service provider has declared the line to be Serviceable so I guess our problem must be within the computer (or router? or associated cables?)

I would also say that we routinel use Registry Mechanic before starting any serious work on the computer in an effort to give us a fighting chance...
It might also be worth a mention that typically the computer can take up to 15 minutes to boot-up.

We do not have access to a computer expert (we are a couple of Brits living in Spain and have language problems(!) and we are not expert ourselves but we need to get the computer sorted out for our work here.

We are attaching our latest HJ log. Perhaps someone can take a look and hopefully help us out.
We would be ever grateful!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:55:16, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\NetDrive\wdService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://msnia.login.live.com/ppsecure/s ... rf?lc=2057
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra button: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra 'Tools' menuitem: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra button: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra 'Tools' menuitem: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\INTERN~2\autocomp.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

--
End of file - 12024 bytes
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm
Advertisement
Register to Remove

Re: Possible Malware infestation?

Unread postby curlylad » December 18th, 2007, 5:00 pm

Hello whitenoiz and welcome to The Malware Removal Forums.

My name is curlylad and I will be helping you to remove any infection(s) that you may have.

I have to carefully formulate any fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess , simply post back with your query and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions !
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Possible Malware infestation?

Unread postby whitenoiz » December 18th, 2007, 5:11 pm

Curlyrad, hi,
Many thanks for getting back to me quickly. Much appreciated.
Hope to hear from you further soon.
whitenoiz.
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby curlylad » December 18th, 2007, 5:44 pm

Good Evening whitenoiz

Thank you for the initial imformation that you provided.
I will go through some of it now and try to address the points and comments that you made.

I am told that the only guaranteed way to get rid of it is topurchase the software from the same people who infected us in the first place, but I have grave misgivings about opening any kind of dialog with these blackmailers


You're quite right, under no circumstances download software from the source of which you know not.
Further more, I must insist that for the duration of the following fix process, and until I have given you the 'All Clear' you must only download,use,run,install the things which I instruct you to.
Failure to follow this instruction may render the fix process useless.

The rest of your initial comments centred on the problem of the systems speed in general.
This leads me straight onto out first step below:-

OK, here are the first instructions which I need you to follow.


STEP 1

Anti Virus Programs

I notice from your HijackThis Log that you are currently running 2 Anti virus programs

Symantec/Norton Anti Virus and also AVG Anti Virus.

This may be one of the reasons that you are experiencing major speed problems.
Running 2 Anti Virus problems can cause all manner of problems to your system, the main ones being speed reduction and freeze ups.
The reason for this is that you have 2 programs fighting to do exactly the same job.
To remedy this problem we need to uninstall one of the Anti Virus programs that you have running.

If your Symantec/Norton Anti Virus is paid for and up to date I suggest that you keep it and uninstall the AVG Anti Virus.
The AVG is free and doesn't have a firewall included so my recommendation is that you uninstall it.

Please now go to Add and Remove Programs in your Control Panel and uninstall AVG Anti Virus.
(Do not confuse this with AVG Anti Spyware which is a totally different program).

Please now reboot your system before continuing to the next step.



STEP 2

Clear 'Junk'

We'll attempt to clear some junk off your system before moving on.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete... under Browsing History.
Next to Temporary Internet Files, click Delete files, and then click OK.
Next to Cookies, click Delete cookies, and then click OK.
Next to History, click Delete history, and then click OK.
Click the Close button.
Click OK.
For Internet Explorer 4.x - 6.x

Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.
For Netscape 4.x and Up

Click Edit from the Netscape menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the triangle sign.
Click Cache.
Click both the Clear Memory Cache and the Clear Disk Cache buttons.
For Mozilla 1.x and Up

Click Edit from the Mozilla menubar.
Click Preferences... from the Edit menu.
Expand the Advanced menu by clicking the plus sign.
Click Cache.
Click the Clear Cache button.
For Opera

Click File from the Opera menubar.
Click Preferences... from the File menu.
Click the History and Cache menu.
Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
Click Ok to close the Preferences menu.
Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.



STEP 3

AVG Anti Spyware

I notice from your log that you have AVG Anti Spyware installed.
We shall use this to scan your system and generate a log for us.

Here's what I need you to do.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Do not automatically generate reports.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot your PC.



STEP 4

Create an Uninstall List/fresh HijackThis Log
  • Open HijackThis
  • Click Open the Misc Tools section
  • Click Open Uninstall Manager
  • Click Save List...
  • Save the list to your Desktop
  • Under Other Stuff click the Back button
  • Now click the Scan button
  • Click the Save Log button, save it to your Desktop
  • Close HijackThis.



STEP 5

Report Back
  • Please now post back the AVG Anti Spyware Log
  • The Uninstall List
  • The fresh HijackThis Log.

I will review the new information and provide any further necessary steps as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Possible Malware infestation?

Unread postby whitenoiz » December 18th, 2007, 11:54 pm

Hi, whitenoiz reporting back with the results of the first set of instructions.
Firstly however I need to tell you that because our Norton Antivitrus was out of date and we could not afford the updates, we have elected to delete this from the system and retain AVG as our principle Virus protection system.
When we tried to delete Norton a part of it could not be deleted. (the updates part we think).
Secondly, when clearing the junk from the temp files we found five files which cannot be removed using the delete button. these are still present and are identified as;
Perflib_Perf...
~DF6D8F.temp
+DF6D88.temp
~DF55C2.temp
~DF552B.temp
The computer is set to work for Four administrators and one guest.
The files listed above are located in one admin ('whitenoiz')
Also in the admin junk under admin ('John Veale') under Windows temp files we have a file which will not delete; this is identified as
T30Debugfile
Also on the same admin, in the Docs and Settings we have a file titled
Perflib_Perfdata ff8
Again we cannot delete this file.

After all that here are our logs...

AVG Spyware Log;

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 04:12:57 19/12/2007

+ Scan result:



C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP958\A0196548.exe -> Adware.RegistryRescue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B1AF6306-70F0-4416-91D0-2A49F3B95B86}\RP972\A0264606.dll -> Dropper.Mudrop.m : Cleaned with backup (quarantined).
:mozilla.589:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.117:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.305:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.36:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.37:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.39:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.766:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.862:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.671:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.71i : Cleaned.
:mozilla.215:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.216:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.217:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.218:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.549:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adengage : Cleaned.
:mozilla.401:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.464:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Adtech : Cleaned.
:mozilla.441:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.77:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.78:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.680:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.714:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned.
:mozilla.584:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Connextra : Cleaned.
:mozilla.772:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.54:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\whitenoiz\Cookies\whitenoiz@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.769:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Etracker : Cleaned.
:mozilla.503:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.411:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.459:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.400:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.610:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Hitslink : Cleaned.
:mozilla.200:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.201:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.404:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Intelli-direct : Cleaned.
:mozilla.506:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Ivwbox : Cleaned.
:mozilla.208:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.210:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.593:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.704:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.293:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.381:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
:mozilla.172:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.133:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.648:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.716:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Realtracker : Cleaned.
:mozilla.412:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.126:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.127:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.128:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.129:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.130:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.367:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.552:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Sexlist : Cleaned.
:mozilla.238:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.239:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Sextracker : Cleaned.
:mozilla.353:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.795:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Sitestat : Cleaned.
:mozilla.155:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.156:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.157:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.158:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.159:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.160:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.161:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.162:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.62:C:\Documents and Settings\sylvie veale\Application Data\Mozilla\Firefox\Profiles\ntxqidsv.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.707:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.85:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.86:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.87:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.88:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.89:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.90:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.91:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.62:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.63:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.40:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.41:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.42:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.43:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.116:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
:mozilla.306:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.539:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.82:C:\Documents and Settings\Olivia\Application Data\Mozilla\Firefox\Profiles\6crfy655.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.332:C:\Documents and Settings\whitenoiz\Application Data\Mozilla\Firefox\Profiles\msrxgbt9.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\whitenoiz\Cookies\whitenoiz@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

Uninstall List:

AceHTML 5 Freeware
AceHTML 5 Pro
Ad-Aware 2007
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Adobe Shockwave Player
Adsense Status
Advanced Diary v1.3
AirNav ACARS Decoder 2
AirNav Suite
AllMyFavorites
ArcSoft Camera Suite
ArcSoft PhotoStudio 5.5
ArcSoft VideoImpression 2
AVG Anti-Spyware 7.5
AVG Free Edition
Blog Post Builder 0.41
Blurty (remove only)
Canon CanoScan Toolbox 4.5
CoffeeCup Direct FTP 5.2 Shareware
CoffeeCup HTML Editor
CoffeeCup HTML Editor 2006
CSAPI (MS Office) spelling plugin for My Notes Center
Cypress USB Mass Storage Driver Installation
Diary Book
Disc API
DivX Codec
Easy Thumbnails (Remove only)
EPSON Attach To Email
EPSON Easy Photo Print
EPSON Print CD
EPSON Printer Software
EPSON Scan Assistant
EPSON Web-To-Page
ESPR220 User's Guide
ewido anti-malware
FileZilla Client 3.0.1
Flash Catcher
Flickr Uploadr 2.1
FLV Player 1.3.3
GMail Drive Shell Extension
Good Keywords v2.01.100107
Google Desktop
Google Desktop Plugin - Del.icio.us
Google Earth
Google Notebook Extension for IE
Google Pack Screensaver
Google Talk (remove only)
Google Toolbar for Internet Explorer
Google Updater
Google Video Player
Harry's Filters 3
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
ICQ6
iDailyDiary 3.20
IEimage
Internet Explorer 7 Beta 2
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8
Java(TM) 6 Update 3
KONICA_MINOLTA DiMAGE remote camera driver
LiveReg (Symantec Corporation)
LJ.NET
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' RogueRemover
Manual CanoScan 3200,3200F
Memotoo.com plugin for I.E. v1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Data Access Components KB870669
Microsoft Interactive Training
Microsoft Office Outlook Connector
Microsoft Office Spell Checker
Microsoft Office XP Media Content
Microsoft Office XP Standard for Students and Teachers
Microsoft Picture It! Express 9
Microsoft Picture It! Library 9
Microsoft Reader
Microsoft Windows Journal Viewer
MoreKeys 1.2
Mouse Driver Mouse Driver 3.5
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (2.0.0.11)
MSN
MSN Encarta Plus Support Files
NetDrive
Netscape Communicator 4.79
Nic's XviD Decoder
Norton WMI Update
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Office Keyboard
OmniPage SE 2.0
Opera 9.0
Photobucket Uploader
PIF DESIGNER
Pinnacle InstantCD/DVD Suite
Plugin Commander Light
PowerDVD
PSP Thumbnail Handler
QuickTime
Quivic
Qumana
RealPlayer
Realtek AC'97 Audio
Registry Mechanic
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB944653)
Spanish Whiz 6.6
Spanish Whiz Full Version
Spybot - Search & Destroy 1.3
StartSpanish 3.5
StartSpanish 3.6
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
USB Storage Adapter FX (SM1)
Viewpoint Manager (Remove Only)
Virtual Magnifying Glass 2.00
w.bloggar 4.00
Webaroo
Website Builder 7.0.1
WinAce Archiver
WinBackup
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Connect
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows WMF Metafile Vulnerability HotFix 1.4
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB887797
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinHTTrack Website Copier 3.40-2
WinZip 11.1
WordWax (remove only)
Xenofex 1.0
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v6
Yahoo! Photos Print-at-Home Tool
Yahoo! Toolbar

New Hijack this Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:29:48, on 19/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://msnia.login.live.com/ppsecure/s ... rf?lc=2057
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra button: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra 'Tools' menuitem: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra button: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra 'Tools' menuitem: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\INTERN~2\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

--
End of file - 10927 bytes

Should we now restart the AVG Antispyware?
If so should the settings be restored to the defaults?

Ok hope all of this helps and doesnt throw too many headaches in your direction>
We appreciate your help.

whitenoiz
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby curlylad » December 19th, 2007, 6:14 pm

Good Evening whitenoiz

Let's look at what you said:-
Should we now restart the AVG Antispyware?
If so should the settings be restored to the defaults?


If we treat that as two seperate questions then the answers are 'No' to both.
You do not need to have the AVG Anti Spyware running all the time, just run a scan with it perhaps once a week.
Do not however mistake it for your AVG Anti Virus, this must be running all the time.

As for the settings, just leave them as they are, they're fine like that.

Firstly however I need to tell you that because our Norton Antivitrus was out of date and we could not afford the updates, we have elected to delete this from the system and retain AVG as our principle Virus protection system.

That's fine, I assumed you were using it and paying for the subscription that provides the updates, if you're not then you have made the right move by removing it.


When we tried to delete Norton a part of it could not be deleted. (the updates part we think).

Not to worry, I will provide instructions below to use a tool that will remove all the remnants of the program.


Secondly, when clearing the junk from the temp files we found five files which cannot be removed using the delete button.

You gave a few indications that show a problem in removing some of the temp files on your system.
We will download and use a tool to automatically delete your remaining junk.


OK, I hope that has answered some of your queries and questions, now on with the fix.


STEP 1

Windows Firewall

You have removed the Symantec/Norton security program that you had installed and replaced it with AVG Anti Virus.
The AVG Anti Virus does not include a firewall so we will enable the Windows Firewall.
To do that please follow this instruction.
  1. Click Start, and then click Control Panel
  2. From the Control Panel, click Security Center
  3. If Windows Firewall shows On, you are protected
  4. If Windows Firewall shows OFF continue to 5.
  5. Click Recommendations, Click Enable Now
  6. Click Close, Click OK.



STEP 2

Viewpoint

I see Viewpoint installed..

Viewpoint is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article.

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player



STEP 3

Symantec/Norton Removal Tool

Please cick the following link to access the rnav tool http://service1.symantec.com/SUPPORT/ts ... 3108162039
When the page opens under Choose your product:, select the link that refers to the Symantec product that you previously had installed.
Follow the on screen instructions to run the tool.



STEP 4

ATF Cleaner

There appeared to be some stubborn 'junk' files on your system.
We will download and use this tool to hopefully remove them.
In the instructions below make sure that you follow the steps to remove files from Internet Explorer and Mozilla Firefox

Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



STEP 5

Use HijackThis
  • Open HijackThis
  • Click the button Do a system scan only
  • Place a tick or check mark next to the following entries:-

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O16 - DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) -
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  • Now click the Fix Checked button
  • Close HijackThis.

Please now reboot your system before moving on !



STEP 6

Report Back
  • Please now post back a fresh HjackThis Log
  • I would also like to know how your system is now running ?
  • Are you experiencing any of the original problems ?

I will review the new information and post back further instructions as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Possible Malware infestation?

Unread postby whitenoiz » December 19th, 2007, 6:48 pm

Good evening,

Just to let you know that we cannot enable Windows Firewall.
When we select it from the Security centre we get an Error Message stating 'Windows Firewall Settings cannot be displayed because the associated service is not running. Do you want to start thr Internet Sharing Service?
We clicked on Yes and got anotyher Error Message stating 'Windows cannot start the Internet Sharing Service...

We arte proceeding with the rest of the checks.

Found Viewpoint Manager and have deleted it.

Installed Norton Removal tool and deleted remains of Norton (we hope).

Now proceeding with next steps...
Thanks for your help much appreciated.
whitenoiz
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby whitenoiz » December 19th, 2007, 7:55 pm

Hi,
Further to my earlier message, after carrying out the steps as instructed we now are able to enable Windows Firewall and have done so.
All elements of Norton seem to have been deleted.
I am putting the final HJ log at the end of this.
As regards performance improvements, the bootup between steps five and six took 7 minutes.
Diificult to say whether this is typical because sometimes it takes only a couple of minutes. other times anything up to 10 minutes!
We still cannot access System Restore; we still get the same error message as reported to you initially.
Cannot say whether download adsl sppeds have changed much: when we downloaded the Norton Removal tool we seemed to be on about 25kbps but this might just have been a fluke. Either way it is still only about 50% of the speed we were seeing about three weeks ago. By anyones standards, Telfonicas rural ADSL is a bit of a joke. If we lived in Madrid or Barcelona we would have a 3Mbps service for the same price as we are paying for their 'out in the sticks ' service!

Incidentally, shortly after the final bootup the computer sort of hiccuped and whilst it was only a momentary glitch it left a white toolbar at the bottom of the page which is normally blue.
Also, in the user 'John Veale' account, all of the icons on the startup page wallpaper are highlighted and have been ever since we encountered th 'ABetterInternet' adware that seems to have been the start of the problem some 4 months ago. We do not use this acoount and leave it alone in case something nasty happens...


Anyway heres the final HJ log;
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:33:27, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://msnia.login.live.com/ppsecure/s ... rf?lc=2057
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra button: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra 'Tools' menuitem: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra button: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra 'Tools' menuitem: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\INTERN~2\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

--
End of file - 10096 bytes

Thanks again for your help.

whitenoiz
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby curlylad » December 19th, 2007, 8:47 pm

Good Evening whitenoiz

I'm glad to see that you now have a functioning Anti Virus program and that you are now also protected by a firewall.
As for the other problems, the Symantec does indeed appear to have now been removed.

OK, we'll see if we can locate any other 'baddies' with the below scan.

First let's see if we can locate and remove ABetterInternet

  • Click Start, click Search, click All Files and Folders
  • In the Look In box select C Drive
  • Click More Advanced Options
  • Select Search system Folders
  • Search Hidden Files and Folders
  • Search subfolders
  • In the All or part of the File name box type ABetterInternet
  • Click Search
  • Delete the Folder/File when found.


NOTE - If you receive an error message, right click the folder, choose Properties and check if the Read only attribute box is checked.If it is uncheck it and try the procedure again.

Next I need you to run a further scan which will show any more problems we may have.

Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Report Back

Please now post back telling me if you located and deleted ABetterInternet.
Also post back the Combofix Log.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Possible Malware infestation?

Unread postby whitenoiz » December 20th, 2007, 12:04 am

Hi,
In regard to deleting all files/folders relating to ABetterInternet, after running the search as recommended we found 57 log files for Spybot S&D, Ad-Aware and Counterspy and ewido.
Although the majority of these files are text files (10 are actually Zip files and couple are config files) they cannot be deleted using Edit> Select All> Delete, neither can we remove them individually.
When we look at the properties for each of these files they all show 0 bytes content and none of the attribute boxes are ticked; the search facility however shows content for each of them, typically between 3 and 5Kbs.
If we try to open the text files we get an error message stating; Cannot find the file etc etc.
This being the case for the moment we are forced to accept that these are just Spybots records of it operation during 2005 and more latterly 2007.
Unless you know of a way to delete them it looks like we will just have to leave them alone…

Downloaded Combifix, heres the log;

ComboFix 07-12-20.1 - whitenoiz 2007-12-20 4:37:49.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.451 [GMT 1:00]
Running from: C:\Documents and Settings\whitenoiz\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\john veale\Desktop\Error Cleaner.url
C:\Documents and Settings\john veale\Desktop\Privacy Protector.url
C:\Documents and Settings\john veale\Favorites\Error Cleaner.url
C:\Documents and Settings\john veale\Favorites\Privacy Protector.url
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\system32\NTSVC.ocx

.
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.

2007-12-18 21:15 . 2007-12-18 21:15 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-18 21:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-17 06:25 . 2007-12-17 06:25 <DIR> d-------- C:\WINDOWS\63D3864E464B4379B8F4A8C92EED76F0.TMP
2007-12-17 05:55 . 2007-12-17 05:55 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-17 04:11 . 2007-12-17 04:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-17 04:11 . 2007-12-17 04:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 23:09 . 2007-12-16 23:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 13:56 . 2007-12-14 13:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-14 13:51 . 2007-12-14 13:51 <DIR> d-------- C:\Documents and Settings\whitenoiz\.housecall6.6
2007-11-29 16:50 . 2007-11-29 16:50 38,567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-11-29 16:50 . 2007-11-29 16:50 4,096 --a------ C:\WINDOWS\system32\sysres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ------w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-04 04:40 --------- d-----w C:\Program Files\Qumana3
2007-11-04 04:40 --------- d-----w C:\Documents and Settings\Olivia\Application Data\Qumana
2007-11-04 04:26 --------- d-----w C:\Program Files\BlogPost
2007-11-01 13:24 --------- d-----w C:\Documents and Settings\Summer\Application Data\Grisoft
2007-11-01 13:24 --------- d-----w C:\Documents and Settings\Summer\Application Data\AVG7
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 16:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 16:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-19 14:28 53,752 ----a-w C:\Documents and Settings\whitenoiz\Application Data\GDIPFONTCACHEV1.DAT
2007-09-25 04:11 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-20 18:02 53,752 ----a-w C:\Documents and Settings\Olivia\Application Data\GDIPFONTCACHEV1.DAT
2006-05-23 03:15 56,008 ----a-w C:\Documents and Settings\sylvie veale\Application Data\GDIPFONTCACHEV1.DAT
2006-03-12 16:17 5,219 ----a-w C:\Program Files\uninstal.log
2006-01-09 23:49 2,103,920 ----a-w C:\Program Files\usenext_freeclient.exe
2006-01-06 21:59 2,053,018 ----a-w C:\Program Files\A Personal Tao - Online.pdf
2005-10-29 08:32 41,464 ----a-w C:\Documents and Settings\Summer\Application Data\GDIPFONTCACHEV1.DAT
2005-08-27 17:48 40,664 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2005-08-08 11:21 864,768 ----a-w C:\Program Files\setup.msi
2005-08-08 11:21 172 ----a-w C:\Program Files\Setup.Ini
2005-08-07 02:19 1,762,334 ----a-w C:\Program Files\PhotobucketUploaderSetup.exe
2005-08-04 19:52 179,828 ----a-w C:\Program Files\LiveJournal-iPhoto-Exporter-1.0.dmg
2005-07-30 13:15 327 ----a-w C:\Program Files\xpwizard.reg
2005-07-26 11:39 1,150,423 ----a-w C:\Program Files\smf_1-0-5_install.zip
2005-07-13 19:59 13,687 ----a-w C:\Program Files\index.php
2005-07-13 19:24 196,041 ----a-w C:\Program Files\changelog.txt
2005-07-13 14:32 7,629 ----a-w C:\Program Files\fosi.nfo
2005-07-13 14:21 9,008,083 ----a-w C:\Program Files\fo-ec5i.exe
2005-07-03 23:15 50,589 ----a-w C:\Program Files\SSI.php
2005-07-03 23:15 44,636 ----a-w C:\Program Files\install.php
2005-07-02 11:56 40,664 ----a-w C:\Documents and Settings\john veale\Application Data\GDIPFONTCACHEV1.DAT
2005-06-22 23:15 8,599 ----a-w C:\Program Files\readme.html
2005-06-22 23:15 5,391 ----a-w C:\Program Files\ssi_examples.shtml
2005-06-22 23:15 5,365 ----a-w C:\Program Files\ssi_examples.php
2005-06-22 23:15 4,001 ----a-w C:\Program Files\license.txt
2005-06-22 23:15 33,924 ----a-w C:\Program Files\smf_1-0.sql
2005-06-22 23:15 3,973 ----a-w C:\Program Files\Settings.php
2005-06-22 23:15 3,355 ----a-w C:\Program Files\agreement.txt
2005-06-22 23:15 3,274 ----a-w C:\Program Files\Settings_bak.php
2005-06-22 23:15 2,381 ----a-w C:\Program Files\news_readme.html
2005-06-22 23:15 12,844 ----a-w C:\Program Files\changelog-themes.txt
2005-05-25 21:33 37 ----a-w C:\Documents and Settings\Summer\Application Data\tvmcwrd.dll
2005-05-25 19:53 380,235 ----a-w C:\Documents and Settings\Summer\Application Data\tvmknwrd.dll
2005-05-25 18:48 63 ----a-w C:\Documents and Settings\john veale\Application Data\tvmuknwrd.dll
2005-05-25 18:48 30 ----a-w C:\Documents and Settings\john veale\Application Data\tvmcwrd.dll
2005-05-25 16:35 380,235 ----a-w C:\Documents and Settings\john veale\Application Data\tvmknwrd.dll
2004-05-15 21:49 2,531,574 ------w C:\Documents and Settings\john veale\acarsd-1.40Pre3.zip
2004-05-15 21:17 8,322,656 ------w C:\Documents and Settings\john veale\SkySweStd.zip
2004-03-04 17:48 16,706,160 ------w C:\Documents and Settings\All Users\AdbeRdr60_enu_full.exe
2004-02-25 12:27 441,480 ------w C:\Documents and Settings\All Users\Reflet.zip
2003-08-27 13:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
2003-03-18 21:03 110,592 ----a-w C:\Program Files\Setup.Exe
2002-12-23 21:06 115 ------w C:\Program Files\PiCoDialogFix.reg
2002-10-12 12:36 2,312 ------w C:\Program Files\RegistrationForm.txt
2001-06-28 11:41 4,880 ------w C:\Program Files\TipofDay.txt
2001-03-21 17:00 59,687 ------w C:\Program Files\TubeURLs.txt
2001-02-24 14:17 1,252,352 ------w C:\Program Files\PiCoLight.exe
2001-02-21 16:47 3,735 ------w C:\Program Files\FilterURLs.txt
2000-11-21 16:00 586 ------w C:\Program Files\Help.htm
2000-09-27 11:49 230,454 ------w C:\Program Files\Test.Bmp
1999-10-15 05:57 790 ------w C:\Program Files\Snipets.db
1998-06-05 08:28 57,344 ------w C:\Program Files\photo30.dll
1998-03-05 16:50 49,152 ------w C:\Program Files\photo304.dll
2005-10-13 20:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 14:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-10-07 18:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2006-04-27 09:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
"PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2007-06-11 18:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 22:01 C:\WINDOWS\SOUNDMAN.EXE]
"IW_ControlCenter"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-02-21 10:27]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-09-30 07:09]
"LWBMOUSE"="C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE" [2001-11-09 07:47]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-30 13:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-24 08:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-23 01:39]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 08:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-05-15 11:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 12:12]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
R1 vobcom;vobcom;C:\WINDOWS\system32\drivers\vobcom.sys [2001-10-04 11:53]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2003-02-27 17:32]
R2 WebDriveFSD;WebDrive File System Driver;C:\Program Files\NetDrive\rffsd.sys [2002-11-27 13:40]
R3 Cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2002-12-13 17:33]
S2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe []
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 06:58]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 06:58]
S3 DCamUSBSvis;Sound Vision Stream Driver;C:\WINDOWS\system32\DRIVERS\svstream.sys [2001-05-07 16:11]
S3 Freeserve;TIDSLInstaller Device Driver;C:\WINDOWS\system32\DRIVERS\instl.sys [2003-03-18 07:05]
S3 FreshIO;FreshIO;C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys []
S3 TIAu5Bt;Copperjet ADSL modem Boot Device;C:\WINDOWS\system32\Drivers\tiau5bt.sys []
S3 TIAU5CO;Copperjet ADSL modem connecting with Freeserve Broadband;C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 13:10:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{420E147D-6489-424E-B37F-15BC34EB9780}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 04:41:11
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-20 4:41:46
.
2007-12-17 02:04:30 --- E O F ---


Thanks again

whitenoiz
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby curlylad » December 20th, 2007, 4:23 pm

Good Evening whitenoiz

The Combofix Log showed a few entries that need to be removed.
There were also indications of a few other things that we will need to use specific tools or programs to remove.

OK, here's what I need you to do next:-

STEP 1

SmitfraudFix

Please download SmitfraudFix (by S!Ri)

Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm



STEP 2

CFScipt


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the quote box below:

    File::
    C:\Documents and Settings\Summer\Application Data\tvmcwrd.dll
    C:\Documents and Settings\Summer\Application Data\tvmknwrd.dll
    C:\Documents and Settings\john veale\Application Data\tvmuknwrd.dll
    C:\Documents and Settings\john veale\Application Data\tvmcwrd.dll
    C:\Documents and Settings\john veale\Application Data\tvmknwrd.dll

    Folder::
    C:\Program Files\TV Media


  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please post the new ComboFix log in your next reply.



STEP 3

Report Back
  • Please now post back the SmitfraudFix Log
  • Also the Combofix Log.

I will again review the information and provide any further necessary steps as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Possible Malware infestation?

Unread postby whitenoiz » December 20th, 2007, 6:15 pm

Good Evening,
Here are the results of the two scans as requested;

Smitfraudlog
SmitFraudFix v2.274

Scan done at 22:39:15.90, 20/12/2007
Run from C:\Documents and Settings\whitenoiz\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\whitenoiz


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\whitenoiz\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\WHITEN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~3\\GOEC62~1.DLL"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 80.58.61.250
DNS Server Search Order: 80.58.61.254

HKLM\SYSTEM\CCS\Services\Tcpip\..\{0E4CFE31-C7CB-461C-A21C-D3A035185161}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\..\{0E4CFE31-C7CB-461C-A21C-D3A035185161}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{0E4CFE31-C7CB-461C-A21C-D3A035185161}: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=80.58.61.250 80.58.61.254


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Second Combifix log;

ComboFix 07-12-20.1 - whitenoiz 2007-12-20 22:49:42.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.635 [GMT 1:00]
Running from: C:\Documents and Settings\whitenoiz\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\whitenoiz\Desktop\CFScript.txt

FILE
C:\Documents and Settings\john veale\Application Data\tvmcwrd.dll
C:\Documents and Settings\john veale\Application Data\tvmknwrd.dll
C:\Documents and Settings\john veale\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Summer\Application Data\tvmcwrd.dll
C:\Documents and Settings\Summer\Application Data\tvmknwrd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\john veale\Application Data\tvmcwrd.dll
C:\Documents and Settings\john veale\Application Data\tvmknwrd.dll
C:\Documents and Settings\john veale\Application Data\tvmuknwrd.dll
C:\Documents and Settings\Summer\Application Data\tvmcwrd.dll
C:\Documents and Settings\Summer\Application Data\tvmknwrd.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-20 to 2007-12-20 )))))))))))))))))))))))))))))))
.

2007-12-20 22:39 . 2007-12-20 22:39 3,320 --a------ C:\WINDOWS\system32\tmp.reg
2007-12-20 22:34 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-12-20 22:34 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-12-20 22:34 . 2007-12-19 22:57 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2007-12-20 22:34 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-12-20 22:34 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-12-20 22:34 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-12-20 16:45 . 2007-12-20 16:45 <DIR> d-------- C:\New Folder
2007-12-20 16:39 . 2007-12-20 16:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-20 16:39 . 2007-12-20 16:39 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-18 21:15 . 2007-12-18 21:15 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-18 21:15 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-17 06:25 . 2007-12-17 06:25 <DIR> d-------- C:\WINDOWS\63D3864E464B4379B8F4A8C92EED76F0.TMP
2007-12-17 05:55 . 2007-12-17 05:55 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-17 04:11 . 2007-12-17 04:11 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-17 04:11 . 2007-12-17 04:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-16 23:09 . 2007-12-16 23:09 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 13:56 . 2007-12-14 13:51 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-14 13:51 . 2007-12-14 13:51 <DIR> d-------- C:\Documents and Settings\whitenoiz\.housecall6.6
2007-11-29 16:50 . 2007-11-29 16:50 38,567 --a------ C:\WINDOWS\system32\pcpbios.exe
2007-11-29 16:50 . 2007-11-29 16:50 4,096 --a------ C:\WINDOWS\system32\sysres.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 10:25 20,480 ------w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-04 04:40 --------- d-----w C:\Program Files\Qumana3
2007-11-04 04:40 --------- d-----w C:\Documents and Settings\Olivia\Application Data\Qumana
2007-11-04 04:26 --------- d-----w C:\Program Files\BlogPost
2007-11-01 13:24 --------- d-----w C:\Documents and Settings\Summer\Application Data\Grisoft
2007-11-01 13:24 --------- d-----w C:\Documents and Settings\Summer\Application Data\AVG7
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 16:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 16:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-19 14:28 53,752 ----a-w C:\Documents and Settings\whitenoiz\Application Data\GDIPFONTCACHEV1.DAT
2007-09-25 04:11 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-09-20 18:02 53,752 ----a-w C:\Documents and Settings\Olivia\Application Data\GDIPFONTCACHEV1.DAT
2006-05-23 03:15 56,008 ----a-w C:\Documents and Settings\sylvie veale\Application Data\GDIPFONTCACHEV1.DAT
2006-03-12 16:17 5,219 ----a-w C:\Program Files\uninstal.log
2006-01-09 23:49 2,103,920 ----a-w C:\Program Files\usenext_freeclient.exe
2006-01-06 21:59 2,053,018 ----a-w C:\Program Files\A Personal Tao - Online.pdf
2005-10-29 08:32 41,464 ----a-w C:\Documents and Settings\Summer\Application Data\GDIPFONTCACHEV1.DAT
2005-08-27 17:48 40,664 ----a-w C:\Documents and Settings\Guest\Application Data\GDIPFONTCACHEV1.DAT
2005-08-08 11:21 864,768 ----a-w C:\Program Files\setup.msi
2005-08-08 11:21 172 ----a-w C:\Program Files\Setup.Ini
2005-08-07 02:19 1,762,334 ----a-w C:\Program Files\PhotobucketUploaderSetup.exe
2005-08-04 19:52 179,828 ----a-w C:\Program Files\LiveJournal-iPhoto-Exporter-1.0.dmg
2005-07-30 13:15 327 ----a-w C:\Program Files\xpwizard.reg
2005-07-26 11:39 1,150,423 ----a-w C:\Program Files\smf_1-0-5_install.zip
2005-07-13 19:59 13,687 ----a-w C:\Program Files\index.php
2005-07-13 19:24 196,041 ----a-w C:\Program Files\changelog.txt
2005-07-13 14:32 7,629 ----a-w C:\Program Files\fosi.nfo
2005-07-13 14:21 9,008,083 ----a-w C:\Program Files\fo-ec5i.exe
2005-07-03 23:15 50,589 ----a-w C:\Program Files\SSI.php
2005-07-03 23:15 44,636 ----a-w C:\Program Files\install.php
2005-07-02 11:56 40,664 ----a-w C:\Documents and Settings\john veale\Application Data\GDIPFONTCACHEV1.DAT
2005-06-22 23:15 8,599 ----a-w C:\Program Files\readme.html
2005-06-22 23:15 5,391 ----a-w C:\Program Files\ssi_examples.shtml
2005-06-22 23:15 5,365 ----a-w C:\Program Files\ssi_examples.php
2005-06-22 23:15 4,001 ----a-w C:\Program Files\license.txt
2005-06-22 23:15 33,924 ----a-w C:\Program Files\smf_1-0.sql
2005-06-22 23:15 3,973 ----a-w C:\Program Files\Settings.php
2005-06-22 23:15 3,355 ----a-w C:\Program Files\agreement.txt
2005-06-22 23:15 3,274 ----a-w C:\Program Files\Settings_bak.php
2005-06-22 23:15 2,381 ----a-w C:\Program Files\news_readme.html
2005-06-22 23:15 12,844 ----a-w C:\Program Files\changelog-themes.txt
2004-05-15 21:49 2,531,574 ------w C:\Documents and Settings\john veale\acarsd-1.40Pre3.zip
2004-05-15 21:17 8,322,656 ------w C:\Documents and Settings\john veale\SkySweStd.zip
2004-03-04 17:48 16,706,160 ------w C:\Documents and Settings\All Users\AdbeRdr60_enu_full.exe
2004-02-25 12:27 441,480 ------w C:\Documents and Settings\All Users\Reflet.zip
2003-08-27 13:19 36,963 ------r C:\Program Files\Common Files\SM1updtr.dll
2003-03-18 21:03 110,592 ----a-w C:\Program Files\Setup.Exe
2002-12-23 21:06 115 ------w C:\Program Files\PiCoDialogFix.reg
2002-10-12 12:36 2,312 ------w C:\Program Files\RegistrationForm.txt
2001-06-28 11:41 4,880 ------w C:\Program Files\TipofDay.txt
2001-03-21 17:00 59,687 ------w C:\Program Files\TubeURLs.txt
2001-02-24 14:17 1,252,352 ------w C:\Program Files\PiCoLight.exe
2001-02-21 16:47 3,735 ------w C:\Program Files\FilterURLs.txt
2000-11-21 16:00 586 ------w C:\Program Files\Help.htm
2000-09-27 11:49 230,454 ------w C:\Program Files\Test.Bmp
1999-10-15 05:57 790 ------w C:\Program Files\Snipets.db
1998-06-05 08:28 57,344 ------w C:\Program Files\photo30.dll
1998-03-05 16:50 49,152 ------w C:\Program Files\photo304.dll
2005-10-13 20:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-05-13 16:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 10:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-06-26 14:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2005-10-07 18:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2004-01-24 23:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
2005-02-28 12:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2005-07-14 11:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2006-04-27 09:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-20_ 4.41.14.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 09:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2007-12-20 03:11:24 77,174 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-12-20 17:42:24 77,174 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-12-20 03:11:24 473,970 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-12-20 17:42:24 473,970 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 14:08]
"PowerArchiver Tray"="C:\Program Files\PowerArchiver\PASTARTER.EXE" [2007-06-11 18:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 22:01 C:\WINDOWS\SOUNDMAN.EXE]
"IW_ControlCenter"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2003-02-21 10:27]
"MULTIMEDIA KEYBOARD"="C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe" [2003-09-30 07:09]
"LWBMOUSE"="C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE" [2001-11-09 07:47]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 21:36]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-30 13:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-10-24 08:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-23 01:39]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 08:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-05-15 11:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"DisableLocalMachineRun"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

R1 ewido security suite driver;ewido security suite driver;C:\Program Files\ewido anti-malware\guard.sys [2005-12-30 12:12]
R1 msikbd2k;Multimedia Keyboard Filter Driver;C:\WINDOWS\system32\DRIVERS\msikbd2k.sys [2001-12-20 10:02]
R1 vobcom;vobcom;C:\WINDOWS\system32\drivers\vobcom.sys [2001-10-04 11:53]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2003-02-27 17:32]
R2 WebDriveFSD;WebDrive File System Driver;C:\Program Files\NetDrive\rffsd.sys [2002-11-27 13:40]
R3 Cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2002-12-13 17:33]
S2 nhksrv;Netropa NHK Server;C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe []
S3 AtmElan;ATM Emulated LAN;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 06:58]
S3 AtmLane;ATM LAN Emulation;C:\WINDOWS\system32\DRIVERS\atmlane.sys [2004-08-04 06:58]
S3 DCamUSBSvis;Sound Vision Stream Driver;C:\WINDOWS\system32\DRIVERS\svstream.sys [2001-05-07 16:11]
S3 Freeserve;TIDSLInstaller Device Driver;C:\WINDOWS\system32\DRIVERS\instl.sys [2003-03-18 07:05]
S3 FreshIO;FreshIO;C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys []
S3 TIAu5Bt;Copperjet ADSL modem Boot Device;C:\WINDOWS\system32\Drivers\tiau5bt.sys []
S3 TIAU5CO;Copperjet ADSL modem connecting with Freeserve Broadband;C:\WINDOWS\system32\DRIVERS\TIAU5CO.sys []

.
Contents of the 'Scheduled Tasks' folder
"2007-12-20 11:10:02 C:\WINDOWS\Tasks\User_Feed_Synchronization-{420E147D-6489-424E-B37F-15BC34EB9780}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-20 22:53:20
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\RFHelper.dll
.
Completion time: 2007-12-20 22:53:55
C:\ComboFix2.txt ... 2007-12-20 04:41
.
2007-12-17 02:04:30 --- E O F ---


Just for information, the computer was in storage from July 2006 until August 2007 and moved from the UK to Spain. Dont know if this is likely to have caused any problems.
Windows XP with SP2 is set receive Security Updates automatically so in theory it should be up to date and downloaded any updates the first time we reconnected to the Internet...

Thanks again for all your help.
whitenoiz
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby curlylad » December 20th, 2007, 6:32 pm

whitenoiz

I forgot to request a fresh HijackThis Log.
Can you please post one back for me to review.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham

Re: Possible Malware infestation?

Unread postby whitenoiz » December 20th, 2007, 6:43 pm

Hi, no problem, here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:42:48, on 20/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NetDrive\wdService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\PowerArchiver\PASTARTER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.icq.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://msnia.login.live.com/ppsecure/s ... rf?lc=2057
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SnapFlash Class - {A44CBB0B-C77D-4BF5-87CC-B4EE79AD1B7E} - C:\Program Files\Common Files\Justdo\Jd2002.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Mouse Driver\Mouse Driver\3.5\MOUSE32A.EXE
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PowerArchiver Tray] C:\Program Files\PowerArchiver\PASTARTER.EXE
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash with Flash Catcher - res://C:\Program Files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\YAHOO!\COMMON\yhexbmesuk.dll
O9 - Extra button: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra 'Tools' menuitem: My bookmarks Memotoo.com - {5DB85338-3621-4a55-BAF1-B657765CCCAA} - Shdocvw.dll (file missing)
O9 - Extra button: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra 'Tools' menuitem: AllMyFavorites - {634D3B6D-B1FE-4538-8A09-FCE198C547E4} - C:\Program Files\AllMyFavorites\MyFavIE.dll
O9 - Extra button: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra 'Tools' menuitem: Flash Catcher - {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - C:\Program Files\Common Files\Justdo\IECatcher.DLL
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.c ... pi_416.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\PROGRA~1\INTERN~2\autocomp.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe

--
End of file - 10030 bytes
Thanks
whitenoiz
Regular Member
 
Posts: 18
Joined: December 18th, 2007, 12:40 pm

Re: Possible Malware infestation?

Unread postby curlylad » December 20th, 2007, 7:47 pm

whitenoiz

I've looked over the latest info that you have supplied, there may be some more steps for you to follow but first I need you to answer some specific questions please:-

1. Can you now access your system restore, I don't need you to revert to a safe restore point I just need to know whether you can access the facility or if you are still getting the error message you initially reported ?

2. How is your system speed now, is it any faster ?

3. Are there any other problems either existing ones or new ones ?

Please answer the above questions and post back the answers as soon as possible.
User avatar
curlylad
Retired Graduate
 
Posts: 1829
Joined: February 5th, 2006, 5:07 pm
Location: Birmingham
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: pgmigg and 32 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware