Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyware and trojan infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyware and trojan infection

Unread postby harnage1 » June 9th, 2008, 11:44 pm

my computer was recently hijacked by spyware and malware. I have manageed to get some of it removed and was wondering if you guys could help me out.
I will list my hijack log and the sdfix log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:28 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgupd.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se9563.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 5951 bytes


SDFix: Version 1.190
Run by Ron Johnson on Mon 06/09/2008 at 09:12 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MsSecurity1.209.4

Path :
C:\WINDOWS\444.0 service

MsSecurity1.209.4 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default IE Settings

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\WINDOWS\system32\vntiho06\vntiho061083.exe - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\b156.exe - Deleted
C:\WINDOWS\mrofinu72.exe - Deleted
C:\WINDOWS\megavid.cdt - Deleted
C:\WINDOWS\muotr.so - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\sft.res - Deleted
C:\WINDOWS\system32\sockins32.dll - Deleted



Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Temp\vtmp2 - Removed
Folder C:\WINDOWS\system32\vntiho06 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-09 21:22:03
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Avant Browser\\avant.exe"="C:\\Program Files\\Avant Browser\\avant.exe:*:Disabled:Avant Browser"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Disabled:uTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 14 Mar 2006 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 24 May 2008 490,736 A..H. --- "C:\WINDOWS\SDold\Download\dc3fa7fed4facc29618f4c01f9c9f686\BIT3.tmp"
Sun 27 Apr 2008 4,188,496 A..H. --- "C:\WINDOWS\SDold\Download\f44a8760e63412f193188dc31bdd5121\BITA.tmp"
Sun 27 Apr 2008 2,367,240 A..H. --- "C:\WINDOWS\SDold\Download\5ad35005cb1cf6ab0e5d8906b81ef3e1\BIT9.tmp"
Thu 22 May 2008 101,765 A..H. --- "C:\WINDOWS\SDold\Download\44294cc09489e42ab360bd5883f74d9e\BIT56.tmp"
Sun 27 Apr 2008 2,295,632 A..H. --- "C:\WINDOWS\SDold\Download\bf56b0f3cf2ed2445c92d62b2f0fc041\BIT28.tmp"
Thu 22 May 2008 105,996 A..H. --- "C:\WINDOWS\SDold\Download\ad6c31f7d0a4d2645ed6d67e2530522e\BIT5A.tmp"
Thu 22 May 2008 4,548,840 A..H. --- "C:\WINDOWS\SDold\Download\b3e5e8974ae0994762c5e8b775ac86f9\BIT5B.tmp"
Thu 22 May 2008 393,448 A..H. --- "C:\WINDOWS\SDold\Download\b600c3564bddf4a7fe9d1996c0016b82\BIT5E.tmp"
Thu 22 May 2008 102,088 A..H. --- "C:\WINDOWS\SDold\Download\28607bd02fc0f9c734f452e4f2666652\BIT5F.tmp"
Thu 22 May 2008 152,128 A..H. --- "C:\WINDOWS\SDold\Download\70a4fbe7217488f673cf5d20367dabc9\BIT62.tmp"
Thu 22 May 2008 151,441 A..H. --- "C:\WINDOWS\SDold\Download\a0d45ac61d8a7a5b7faa78852c46bf15\BIT6A.tmp"
Thu 22 May 2008 2,166,832 A..H. --- "C:\WINDOWS\SDold\Download\34b7b0061829da0fde41032b10403ce7\BIT2.tmp"
Thu 22 May 2008 516,336 A..H. --- "C:\WINDOWS\SDold\Download\8762af45850de85ac5e91f5a63cfe543\BIT8.tmp"
Thu 22 May 2008 483,568 A..H. --- "C:\WINDOWS\SDold\Download\a30fe106c075193a6848a7f64073a7cc\BITE.tmp"
Thu 22 May 2008 102,173 A..H. --- "C:\WINDOWS\SDold\Download\786d8d10fefe7553d7282b60526a243b\BIT11.tmp"
Fri 23 May 2008 122,008 A..H. --- "C:\WINDOWS\SDold\Download\e9966731a8a6efd4f492b267c7081066\BIT13.tmp"
Fri 23 May 2008 101,803 A..H. --- "C:\WINDOWS\SDold\Download\88aa16c08992a222297cc493fc329b20\BIT14.tmp"
Sat 24 May 2008 157,347 A..H. --- "C:\WINDOWS\SDold\Download\4cccd8c1bc85247ebfa9061d6bf08de1\BIT25.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\14942f74c18b6839d63fb1d0837a7512\BIT6.tmp"
Fri 30 May 2008 2,166,832 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3e21b535dea17cce2bc6f0feca1311d\BIT36.tmp"
Fri 30 May 2008 15,452,536 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4f79e01ce8ee10a7556514a051f797f4\BIT4B.tmp"
Sun 27 Apr 2008 108,399 A..H. --- "C:\WINDOWS\SDold\Download\2dde58e204c4be402ccbbcd0b600650e\download\BIT2E.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\88ffe733ec76f56f5e26a19f4a072dec\download\BIT69.tmp"
Sun 27 Apr 2008 56,566 A..H. --- "C:\WINDOWS\SDold\Download\0030edf27ee9d030b5e38566d2514790\download\BIT2.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\e2306f0216dfc9822a8553f09db95f71\download\BIT6.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\92554586f3df257ccc6f5cd3e1efab22\download\BIT23.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\d45f88747992924d2f8a55141b129dbd\download\BIT25.tmp"
Sat 26 Apr 2008 4,005,331 A..H. --- "C:\WINDOWS\SDold\Download\26850ce336513bfee15ef865c4e6576c\download\BIT19.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\17b5dc397be04188db1a7e941038c6f2\download\BIT27.tmp"
Sat 24 May 2008 1,919,453 A..H. --- "C:\WINDOWS\SDold\Download\ac3f490121f580bfb62d9d495aa2b215\download\BIT2F.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\a1394c19ce964344512c4b8ba52cbec5\download\BITC.tmp"
Sun 27 Apr 2008 398,015 A..H. --- "C:\WINDOWS\SDold\Download\94ee68f37097c1148365727afa16d894\download\BIT2F.tmp"
Sun 27 Apr 2008 1,613,689 A..H. --- "C:\WINDOWS\SDold\Download\409eeb5b15ac5b9aeee323d7da0f978c\download\BIT4.tmp"
Sun 27 Apr 2008 2,259,852 A..H. --- "C:\WINDOWS\SDold\Download\d603631fa5c5558c772d54d44369b54f\download\BITD.tmp"
Sun 27 Apr 2008 750,541 A..H. --- "C:\WINDOWS\SDold\Download\a99eb7d5ff79aed3ff0979cb81b4434b\download\BITB.tmp"
Sun 27 Apr 2008 605,945 A..H. --- "C:\WINDOWS\SDold\Download\4730fbe8056ad6eb56eb6cc23d82cd01\download\BIT36.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\354472c20c6e7a38bfd2b1b859e56276\download\BITF.tmp"
Sun 27 Apr 2008 355,352 A..H. --- "C:\WINDOWS\SDold\Download\5217f632c60d0e2abd68621d2a7b05b9\download\BITA.tmp"
Sun 27 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\6aa2d4bcedcee9617227cafceab09f02\download\BITD.tmp"
Sat 26 Apr 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\f800fb87a28ec4ca869706531385e23a\download\BIT3B.tmp"
Sun 27 Apr 2008 906,113 A..H. --- "C:\WINDOWS\SDold\Download\2d5cb53f40c94c45549672fbf4eb14b2\download\BIT7.tmp"
Sun 27 Apr 2008 1,974,817 A..H. --- "C:\WINDOWS\SDold\Download\ec3e2e6b3f1b25baadb3a70dfe94cd10\download\BIT8.tmp"
Sun 27 Apr 2008 262,997 A..H. --- "C:\WINDOWS\SDold\Download\c4989c7d9cfedbbe50931f1ce8778e69\download\BITE.tmp"
Sun 27 Apr 2008 465,029 A..H. --- "C:\WINDOWS\SDold\Download\1410961c7f4f5684c30d6b41322b3e42\download\BIT4.tmp"
Sun 27 Apr 2008 1,220,563 A..H. --- "C:\WINDOWS\SDold\Download\785bc23a82784977fa64552e9bb4a6ab\download\BIT2.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\71c884b3a348fe876677e718ab666a66\download\BIT6.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\b5330da089196b346d1ee0676e21afcc\download\BIT2E.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\97a9b4183ee83502797f62c2c0b429cf\download\BIT2F.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\ada4d488d7d0854b79cefb8bc70c8d98\download\BIT30.tmp"
Fri 23 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\0f66ac0b7ccd71faf6da904f29228240\download\BIT6.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\218766960d1465c026412385b0d1d978\download\BIT7.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\6ac42657c636012f9effce4f937863f4\download\BIT8.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\0615c0a0d589689e7965d4bf87a5872b\download\BIT31.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\243c97729a3a8fbb5f1e18f85169b8de\download\BIT32.tmp"
Fri 23 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\f8c6a8157d1ed68b0b0f724babd8b17f\download\BIT9.tmp"
Sat 24 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\37e5b122079a0c7ba85fcc8ce8310ad8\download\BIT9.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\794fe6c4497072d6b676dff316f341a2\download\BIT33.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\b2ebfcb0d3e31cb844250d8d3cdd9b7f\download\BIT34.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\5cc724b3995f72ef3222dddf08658056\download\BIT35.tmp"
Thu 22 May 2008 0 A..H. --- "C:\WINDOWS\SDold\Download\33cb1e7dae8a29b002e7473fd58a1557\download\BIT38.tmp"
Fri 30 May 2008 2,716,340 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\download\BITE.tmp"
Fri 30 May 2008 2,997,291 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT13A.tmp"
Wed 17 Oct 2007 20 A..H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv1lic.bak"
Tue 14 Mar 2006 4,348 ...H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv1key.bak"
Wed 17 Oct 2007 1,536 A..H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv2lic.bak"
Tue 13 Sep 2005 312 ...H. --- "C:\Documents and Settings\Ron Johnson\My Documents\My Music\License Backup\drmv2key.bak"
Sun 2 Dec 2007 4,677,120 ...H. --- "C:\Documents and Settings\Ron Johnson\Application Data\Microsoft\Word\~WRL3474.tmp"

Finished!
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm
Advertisement
Register to Remove

Re: Spyware and trojan infection

Unread postby Shaba » June 11th, 2008, 10:44 am

Hi harnage1

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware and trojan infection

Unread postby harnage1 » June 11th, 2008, 12:52 pm

Deckard's System Scanner v20071014.68
Run by Ron Johnson on 2008-06-11 11:40:00
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-06-11 16:40:06 UTC - RP637 - Deckard's System Scanner Restore Point
19: 2008-06-11 00:33:06 UTC - RP636 - System Checkpoint
18: 2008-06-10 00:04:56 UTC - RP635 - System Checkpoint
17: 2008-06-08 17:45:34 UTC - RP634 - Restore Operation
16: 2008-06-08 15:55:14 UTC - RP633 - Installed AVG 8.0


-- First Restore Point --
1: 2008-05-29 18:46:56 UTC - RP618 - today


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Ron Johnson.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:09 AM, on 6/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ron Johnson\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Ron Johnson.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se9563.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 5032 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080427-120248-932 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080428-070846-111 R3 - URLSearchHook: (no name) - _{44F9B173-041C-4825-A9B9-D914BD9DCBB3} - (no file)
backup-20080428-070846-808 O2 - BHO: (no name) - {6216444d-3331-48be-9aae-1a8334cb1e48} - C:\WINDOWS\System32\geBuTnNF.dll (file missing)
backup-20080428-070846-204 O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
backup-20080428-070846-728 O8 - Extra context menu item: &Search - http://km.bar.need2find.com/KM/menusearch.html?p=KM
backup-20080428-070846-551 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-070846-146 O20 - Winlogon Notify: opnkkjka - opnkkjKA.dll (file missing)
backup-20080428-070914-896 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-073212-932 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-091911-999 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-111032-162 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-112649-282 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-160039-909 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-160101-649 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080428-190809-440 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080429-113515-118 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080429-113544-154 O18 - Filter hijack: text/html - (no CLSID) - (no file)
backup-20080522-113552-431 O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} (Installer.InstallControl) - http://e5398395dfbe53efc515628699c385ef ... applet.cab
backup-20080522-121326-501 O16 - DPF: {82FFA573-38AA-482A-99AD-91F697B91631} - http://e5398395dfbe53efc515628699c385ef ... applet.cab
backup-20080522-121400-782 O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
backup-20080608-105242-110 O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
backup-20080608-105242-118 O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll (file missing)
backup-20080608-110111-978 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
backup-20080608-110111-708 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080608-110111-488 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
backup-20080608-110111-883 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
backup-20080608-110111-697 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
backup-20080608-110111-254 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080608-110111-521 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
backup-20080608-110111-720 O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\Spcron\Spc.dll
backup-20080608-110111-963 O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
backup-20080608-110111-127 O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll (file missing)
backup-20080608-110259-105 O2 - BHO: (no name) - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - (no file)
backup-20080608-110259-842 O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
backup-20080608-110259-834 O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
backup-20080608-110259-264 O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
backup-20080608-110259-781 O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
backup-20080608-112829-385 O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
backup-20080608-145350-429 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
backup-20080608-145350-205 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080608-145350-985 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:/windows/homepage.html
backup-20080608-145350-380 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://c:/windows/homepage.html
backup-20080608-145350-194 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://c:/windows/homepage.html
backup-20080608-145350-284 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080608-145350-483 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = file://c:/windows/homepage.html
backup-20080608-145350-417 O2 - BHO: (no name) - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - (no file)
backup-20080608-145350-410 O4 - HKCU\..\Run: [Vcsron] C:\Program Files\Vcsron\Vcsron.exe
backup-20080608-145350-165 O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - (no file)
backup-20080608-182842-183 O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Ron Johnson\Application Data\Microsoft\dtsc\21294.exe
backup-20080608-182859-405 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080608-182859-185 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:/windows/homepage.html
backup-20080609-233734-114 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080609-233734-953 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080609-233734-733 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080609-233734-393 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080609-233734-208 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080609-233734-297 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NPPTNT2 - c:\windows\system32\npptnt2.sys <Not Verified; INCA Internet Co., Ltd.; nProtect NPSC Kernel Mode Driver for NT>

S3 catchme - c:\docume~1\ronjoh~1\locals~1\temp\catchme.sys (file missing)
S3 dump_wmimmc - c:\windows\system32\drivers\dump_wmimmc.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 s620nd5 (StormPort (NDIS)) - c:\windows\system32\drivers\s620nd5.sys <Not Verified; MCCI; StormPort>
S3 s620unic (StormPort (WDM)) - c:\windows\system32\drivers\s620unic.sys <Not Verified; MCCI; StormPort>
S3 wanatw (WAN Miniport (ATW)) - c:\windows\system32\drivers\wanatw4.sys (file missing)
S3 wceusbsh (Windows CE USB Serial Host Driver) - c:\windows\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 GEARSecurity (Gear Security Service) - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>

S2 UMWdf (Windows User Mode Driver Framework) - c:\windows\system32\wdfmgr.exe (file missing)
S4 aspnet_state (ASP.NET State Service) - c:\windows\microsoft.net\framework\v2.0.50727\aspnet_state.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8139 Family PCI Fast Ethernet NIC
Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13011186&REV_10\3&61AAA01&0&78
Manufacturer: Realtek
Name: Realtek RTL8139 Family PCI Fast Ethernet NIC
PNP Device ID: PCI\VEN_1186&DEV_1300&SUBSYS_13011186&REV_10\3&61AAA01&0&78
Service: rtl8139


-- Files created between 2008-05-11 and 2008-06-11 -----------------------------

2008-06-09 21:15:26 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-06-09 21:01:53 0 d-------- C:\lspfix
2008-06-08 14:50:02 0 d--hs---- C:\FOUND.000
2008-06-08 10:58:47 0 d--h----- C:\$AVG8.VAULT$
2008-06-08 10:55:24 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-08 10:55:16 0 d-------- C:\Program Files\AVG
2008-06-08 10:42:42 0 dr-h----- C:\Documents and Settings\Ron Johnson\Recent
2008-05-30 22:51:39 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-30 18:13:07 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-05-30 18:12:57 115712 --a------ C:\Program Files\Microsoft Windows Onecare Live <Not Verified; Microsoft Corp.; Microsoft® CoReXT>
2008-05-30 03:52:15 0 d-------- C:\WINDOWS\system32\DRVSTORE
2008-05-29 22:32:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-27 22:24:51 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-05-27 22:21:06 0 d--h----- C:\Program Files\WindowsUpdate
2008-05-26 22:51:15 0 d-------- C:\Documents and Settings\Ron Johnson\Application Data\Avant Profiles
2008-05-24 21:03:12 0 d-------- C:\softpaq
2008-05-22 22:15:20 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-22 12:04:20 0 d-------- C:\Program Files\MSXML 6.0
2008-05-21 22:07:50 0 d-------- C:\Documents and Settings\Ron Johnson\Application Data\ErrorSmart
2008-05-18 16:29:45 4767744 --a------ C:\Documents and Settings\Ron Johnson\ntuser.dat
2008-05-18 16:28:30 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-05-16 09:41:16 0 d-------- C:\Documents and Settings\LocalService\Start Menu
2008-05-16 09:40:29 0 d-------- C:\WINDOWS\Prefetch
2008-05-16 09:31:24 0 d-------- C:\WINDOWS\peernet
2008-05-16 09:31:22 0 d-------- C:\WINDOWS\provisioning
2008-05-16 09:28:29 0 d-------- C:\WINDOWS\ServicePackFiles
2008-05-16 09:19:24 0 d-------- C:\WINDOWS\EHome


-- Find3M Report ---------------------------------------------------------------

2008-05-06 11:51:38 1160 --a------ C:\WINDOWS\mozver.dat
2008-04-29 19:26:30 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-04-29 19:26:08 0 d-------- C:\Program Files\MSECACHE
2008-04-28 15:54:08 0 d-------- C:\Program Files\Common Files\Java
2008-04-28 07:52:30 0 d-------- C:\Documents and Settings\Ron Johnson\Application Data\Malwarebytes
2008-04-28 07:52:04 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-27 15:32:52 0 d-------- C:\Program Files\CCleaner
2008-04-27 12:25:54 518425 --ahs---- C:\WINDOWS\system32\FNnTuBeg.ini2
2008-04-27 03:40:06 0 d-------- C:\Program Files\Trend Micro


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [08/16/2001 11:41 PM]
"AGRSMMSG"="AGRSMMSG.exe" [06/29/2004 09:06 AM C:\WINDOWS\AGRSMMSG.exe]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [12/16/2003 12:06 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [04/21/2007 12:58 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [03/25/2008 04:28 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [06/08/2008 10:55 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [4/21/2007 12:59:19 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2008-06-11 11:43:04 ------------
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby harnage1 » June 11th, 2008, 12:53 pm

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) Processor
Percentage of Memory in Use: 44%
Physical Memory (total/avail): 511.42 MiB / 283.04 MiB
Pagefile Memory (total/avail): 1250.59 MiB / 1031.45 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1944.92 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 19.11 GiB total, 6.93 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - QUANTUM FIREBALLP LM20.5 - 19.14 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 19.12 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

AV: AVG Anti-Virus v8.0 (AVG Technologies)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"="C:\\Program Files\\AVG\\AVG8\\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\\Program Files\\Avant Browser\\avant.exe"="C:\\Program Files\\Avant Browser\\avant.exe:*:Disabled:Avant Browser"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Disabled:uTorrent"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Ron Johnson\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROJO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Ron Johnson
LOGONSERVER=\\ROJO
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 2 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0201
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\RONJOH~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\RONJOH~1\LOCALS~1\Temp
USERDOMAIN=ROJO
USERNAME=Ron Johnson
USERPROFILE=C:\Documents and Settings\Ron Johnson
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Ron Johnson (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Agere Systems PCI Soft Modem --> agrsmdel
ArcSoft Panorama Maker 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5F68DC8-0278-4AD8-B413-861509B5F25B}\Setup.exe" -l0x9
AVG 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Championship Mah Jongg --> MsiExec.exe /X{B874E63E-ED0B-49E3-B8D7-C4A31D84E697}
Diablo II --> C:\WINDOWS\DIIUnin.exe C:\WINDOWS\DIIUnin.dat
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Internet Explorer Q903235 --> C:\WINDOWS\ieuninst.exe C:\WINDOWS\INF\Q903235.inf
iTunes --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{9705A7E1-3DD1-4BAC-8CA9-FE7B1473BEC9}
Java(TM) 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Kaspersky Online Scanner --> C:\WINDOWS\System32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Encarta Encyclopedia Standard 2002 --> MsiExec.exe /I{01001202-823E-46CD-A70E-BEE818F97169}
Microsoft Office PowerPoint Viewer 2003 --> MsiExec.exe /X{90AF0409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Word 2002 --> MsiExec.exe /I{911B0409-6000-11D3-8CFE-0050048383C9}
Microsoft Works 2002 Setup Launcher --> C:\Program Files\Microsoft Works Suite 2002\Setup\Launcher.exe F:\
Microsoft Works 6.0 --> MsiExec.exe /I{A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704}
Microsoft Works Suite Add-in for Microsoft Word --> MsiExec.exe /I{C3A439E4-7303-491F-A678-CEA36A87D517}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
PictureProject --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FF3999BE-1A7B-4738-88AA-97BF14094A4A}\Setup.exe" -l0x9 UNINSTALL
PictureProject In Touch Downloader 1.0 --> C:\Program Files\PictureProject In Touch Downloader\uninst.exe
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Roxio UDF Reader --> C:\WINDOWS\System32\UDFRUNIN.EXE
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Shockwave --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
True Love --> "C:\CDOS\True Love\Uninstall.exe"
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type120497 / Error
Event Submitted/Written: 06/08/2008 05:56:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application 21294.exe, version 0.0.0.0, faulting module 21294.exe, version 0.0.0.0, fault address 0x0001a33a.
Processing media-specific event for [21294.exe!ws!]

Event Record #/Type120466 / Error
Event Submitted/Written: 06/07/2008 00:36:29 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type120459 / Error
Event Submitted/Written: 06/06/2008 08:38:35 PM
Event ID/Source: 1001 / Application Error
Event Description:
Fault bucket 210851836.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Event Record #/Type120458 / Error
Event Submitted/Written: 06/06/2008 08:37:48 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module wpespy.dll, version 0.0.0.0, fault address 0x00001e5a.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type120454 / Error
Event Submitted/Written: 06/05/2008 07:21:59 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application realplay.exe, version 6.0.12.1483, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type53227 / Error
Event Submitted/Written: 06/11/2008 11:16:45 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows User Mode Driver Framework service failed to start due to the following error:
%%2

Event Record #/Type53193 / Error
Event Submitted/Written: 06/10/2008 10:29:40 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Windows User Mode Driver Framework service failed to start due to the following error:
%%2

Event Record #/Type53182 / Error
Event Submitted/Written: 06/09/2008 10:28:17 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout.

Event Record #/Type53181 / Error
Event Submitted/Written: 06/09/2008 10:27:48 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Automatic Updates service terminated with the following error:
%%2147952506

Event Record #/Type53178 / Error
Event Submitted/Written: 06/09/2008 10:27:47 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {E60687F7-01A1-40AA-86AC-DB1CBF673334} did not register with DCOM within the required timeout.



-- End of Deckard's System Scanner: finished at 2008-06-11 11:43:04 ------------
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby Shaba » June 11th, 2008, 12:58 pm

Hi

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Code: Select all
    C:\WINDOWS\system32\FNnTuBeg.ini2
    

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)
    Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)
    Image
  • Now click on the Save as Text button
  • Savethe file to your desktop.
  • Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
- otmoveit2 report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware and trojan infection

Unread postby harnage1 » June 13th, 2008, 4:15 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:12 PM, on 6/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Ron Johnson\Desktop\vba\visual boy advance.exe
C:\PROGRA~1\AVG\AVG8\avgscanx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se9563.cab
O16 - DPF: {6414512b-b978-451d-a0d8-fcfdf33e833c} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9224956506
O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9224885754
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{74CE9BCD-9360-49B3-8D3D-1E64F9A556A4}: NameServer = 207.69.188.185 207.69.188.186
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

--
End of file - 5299 bytes


C:\WINDOWS\system32\FNnTuBeg.ini2 moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06112008_152025



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 13, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, June 13, 2008 16:46:58
Records in database: 860378
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
E:\

Scan statistics:
Files scanned: 34990
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:11:53


File name / Threat name / Threats count
C:\Documents and Settings\Ron Johnson\Desktop\wpepro09x\WpeSpy.dll Infected: Sniffer.Win32.WpePro.a 1
C:\Documents and Settings\Ron Johnson\Desktop\wpepro09x\WPE PRO.exe Infected: Sniffer.Win32.WpePro.a 1

The selected area was scanned.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby Shaba » June 14th, 2008, 4:48 am

Hi

Purpose of these?

C:\Documents and Settings\Ron Johnson\Desktop\wpepro09x\WpeSpy.dll Infected: Sniffer.Win32.WpePro.a 1
C:\Documents and Settings\Ron Johnson\Desktop\wpepro09x\WPE PRO.exe Infected: Sniffer.Win32.WpePro.a 1
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware and trojan infection

Unread postby harnage1 » June 14th, 2008, 1:50 pm

i use that program to cheat on a flash game.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby Shaba » June 14th, 2008, 2:06 pm

Hi

Thanks for the info :)

Any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware and trojan infection

Unread postby harnage1 » June 15th, 2008, 1:37 pm

My computer is running faster than what it was but programs run slightly slower when i first try to start them (but that may be a problem i have caused not malware). But they to go to regular operating function after 35 seconds.

Also for some reason since i upgraded to Windows xp service pack 2, in the task manager process window, the process called "System Idle Process" is always running at 90 cpu.

I believe that is a problem on microsoft's part because the upgrade disrupted my internet connection for 2 weeks and the windows firewall has been disabled to due "Due to an unidentified problem, windows cannot display firewall settings."
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby Shaba » June 15th, 2008, 1:41 pm

Hi

"Also for some reason since i upgraded to Windows xp service pack 2, in the task manager process window, the process called "System Idle Process" is always running at 90 cpu."

That is normal as System Idle Process shows how much about CPU is not in use :)

"I believe that is a problem on microsoft's part because the upgrade disrupted my internet connection for 2 weeks and the windows firewall has been disabled to due "Due to an unidentified problem, windows cannot display firewall settings."

See here and post back if it helped, please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware and trojan infection

Unread postby harnage1 » June 16th, 2008, 12:11 am

No the advice on that page did not help. I think the only thing i can do is deall with the problem or try to reinstall the service pack.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby Shaba » June 16th, 2008, 3:53 am

Hi

Yes or you can alternatively install SP3.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Spyware and trojan infection

Unread postby harnage1 » June 16th, 2008, 11:33 pm

i might do that but im hesitant due to the amount of errors i recieved after upgrading to sp2, plus all the constant complaints about vista.
harnage1
Regular Member
 
Posts: 25
Joined: April 27th, 2008, 1:43 pm

Re: Spyware and trojan infection

Unread postby Shaba » June 17th, 2008, 7:27 am

Hi

What kind of errors you got after sp2 installation?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 30 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware