Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Fraud Trojan-Spy files found; on the verge of wiping my hd

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 21st, 2008, 3:07 pm

Hello,

I have been very troubled by increasingly poor function of my computer for the last few months. This started not long after I upgraded memory to 2GB last August. The machine ran more efficiently, as expected, for a short time. Then performance started mysteriously going downhill.

A number of “strange” things have happened, an account of which I have available and will supply if requested. For now, I don't want to overload my initial plea for help with too much information.

I am in intermediate to advanced computer user who has done everything I know, and that has been recommended, to improve computer performance. Out of I desperation, have utilized several performance “optimizer” programs with no improvement.

I have repeatedly run a variety of anti-virus and anti-malware scans, most of which have found nothing at all, and some have detected what seemed to be minor problems that were quarantined or removed.

What brings me here today to ask for help, is that I ran a Kaspersky scan yesterday that found seven fraud-related “trojan-spy” files on my secondary hard drive. In reading about how these codes work, all the computer troubles I've had over the last several months have begun to make sense. The primary indicator is that, indeed, a credit card number I used to make a purchase online (the same month “strange things started to happen”) had been detected and used without my authorization. (That matter has been resolved with my bank and the merchant.)

I am VERY concerned that my computer activities are being monitored or harvested and that poor performance might be related to Kaspersky's findings.

My HJT log follows. Because it's so relevant to why I'm asking for help, I have included the Kaspersky Online Scanner Report of yesterday.

Thank you in advance for your help.

================================================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:30 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files\adsgone\adsgone.exe
C:\Program Files\CyberPower UPS\pppeuser.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\CyberPower UPS\ppped.exe
C:\PROGRA~1\EARTHL~2\PCFINE~1\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 3.0\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\EarthLink Accelerator\propelac.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmessenger.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~1\PRPL_I~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Adsgone] c:\program files\adsgone\adsgone.exe -s
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower UPS\pppeuser.exe"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9523293859
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9522871890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC FineTune Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower UPS\ppped.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8103 bytes


================================================================================


Note: While watching the Kaspersky scan, at 88% complete, it suddenly stopped and indicated completed.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 20, 2008 06:56:40
Records in database: 1490569
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 151823
Threat name: 7
Infected objects: 7
Suspicious objects: 8
Duration of the scan: 09:28:12


File name / Threat name / Threats count

C:\Documents and Settings\Seagate\My Documents\Backup\Outlook Express Data and Settings from Annie\Message Store\Earthlink\Bank One.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1

C:\Documents and Settings\Seagate\My Documents\Backup\Outlook Express Data and Settings from Annie\Message Store\Earthlink\PayPal, Panelopee.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1

D:\Backup Files\zzz Archives\Microsoft.rar
Suspicious: Trojan-Spy.HTML.Fraud.gen 1

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Citifraud.ae 1

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Smitfraud.c 1

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Bankfraud.w 1

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 2

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Bayfraud.ib 1

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Email-Worm.Win32.Bagle.ck 1

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Paylap.ev 2

D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Sent Items.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1

D:\Outlook Express Data and Settings\Message Store\Earthlink\Bank One.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1

D:\Outlook Express Data and Settings\Message Store\Earthlink\PayPal, Panelopee.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.
---------------------------------------------------------------------------------
end
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm
Advertisement
Register to Remove

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 25th, 2008, 8:47 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.

These rules are good for you to know:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

These rules are to make my voluntary work more comfortable:
  • Please be patient. The work I do is voluntary and I also have a private life (school, work, friends and hobbies).
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • Please reply to this thread. Do not start a new topic.
  • Also, don't post logs as attachments. Other helpers like to view the logs as well and opening a lot of attachments is irritating. It can also contain malware.

Finally, please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Open The Misc Tool Section button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop and post the contents in a reply to this topic. Also post a fresh HijackThis log.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Fresh HJT and Uninstall Logs

Unread postby EtchaSketch » December 25th, 2008, 10:54 am

Hey, hi John. :) Boy am I glad to 'see' you.

Thanks for taking the time to work with me on a holiday. I hope you're having a wonderful Christmas.

Here are the logs you requested:

--------------------------------------------------------
HJT's Uninstall List:

Adobe Flash Player ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player 11
AdsGone Spyware Blocker Popup Killer 2007 7.0.8 build 1!
AVG Free 8.0
ClickArt 50,000
Compatibility Pack for the 2007 Office system
Convert
CyberPower PowerPanel Personal Edition
Driver Installer
EarthLink Accelerator
EarthLink PC FineTune
FlashPath
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Intel(R) PRO Network Adapters and Drivers
j2 Messenger 4.2
Java(TM) 6 Update 4
Malwarebytes' Anti-Malware
Merriam-Webster
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MapPoint North America 2004
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
Motorola Driver Installation
Mozilla Firefox (1.5)
Mozilla Firefox (3.0.5)
Mozilla Firefox (3.1b2)
Nokia Connectivity Adapter Cable DKU-5
OpenOffice.org 2.4
PayPal Plug-In
PC Pitstop Exterminate2 2.0
PC Pitstop Optimize2 2.0
Quick Screen Capture 3.0
Quicken 2002 New User Edition
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
SmartDraw 2008
Spybot - Search & Destroy
SpywareBlaster 4.1
SUPERAntiSpyware Free Edition
System Requirements Lab
TurboNote+ 6.4
Uniblue RegistryBooster 2
Uniblue SpeedUpMyPC 3
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
ZoneAlarm Pro

----------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:39 AM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\EarthLink Accelerator\propelac.exe
C:\program files\adsgone\adsgone.exe
C:\Program Files\CyberPower UPS\pppeuser.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\CyberPower UPS\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 3.0\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmessenger.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~1\PRPL_I~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Adsgone] c:\program files\adsgone\adsgone.exe -s
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower UPS\pppeuser.exe"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9523293859
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9522871890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower UPS\ppped.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7802 bytes
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 25th, 2008, 3:39 pm

Hi,

Let's comment first on a couple of things you said.

I am in intermediate to advanced computer user who has done everything I know, and that has been recommended, to improve computer performance. Out of I desperation, have utilized several performance “optimizer” programs with no improvement.

We do not recommend the use of those "optimizer" programs. Some people believe that they work, but your case is another good example of where it does not seem to work.

There are two types of those programs: Registry cleaners and programs which do other things to optimize your computer. Registry cleaners we highly unrecommend, because some just pick the wrong things and messing with the registry can crash your computer. Also, cleaning up orphaned registry entries should not have too much effect. Programs which do other things to optimize your computer are also unrecommended, because, again, they may do things to your computer which can break yours, as it is identical and completely different from your neighbours' computer.

After your problems are resolved I will give you a link to a page where the best and safest optimization tips & tricks are given.

What brings me here today to ask for help, is that I ran a Kaspersky scan yesterday that found seven fraud-related “trojan-spy” files on my secondary hard drive. In reading about how these codes work, all the computer troubles I've had over the last several months have begun to make sense. The primary indicator is that, indeed, a credit card number I used to make a purchase online (the same month “strange things started to happen”) had been detected and used without my authorization. (That matter has been resolved with my bank and the merchant.)

I am VERY concerned that my computer activities are being monitored or harvested and that poor performance might be related to Kaspersky's findings.

The Kaspersky results mostly show that there are a couple of infected or bad e-mails in your e-mail folders. For example your inbox and sent items contain at least one malicious e-mail. This should not be too worrying, because the malware does not always have to jump from your e-mail to the computer (think of unopened attachments, etc.), but still it is best to resolve this. We will work on this :)

Please visit this webpage for download links, and instructions for running the first tool we will be using: ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. For information on how to disable your anti virus program please see this:
http://www.bleepingcomputer.com/forums/topic114351.html

Go on with the ComboFix guide when it opens its log please post it together with a new HijackThis log.

Remember that the ComboFix log is saved here: C:\ComboFix.txt

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 25th, 2008, 10:13 pm

Hi John,

Thank you for the good feedback, and the reminder about just saying no to “optimizing” programs. :oops: Silly me. I knew better, but got to a point of flailing recklessness with attempts to fix the mess my computer had become. No doubt, ‘automatic optimization’ has greater potential to do damage than make improvements – and probably has in this case.

ComboFix and fresh HJT logs follow.

Just to note: After installing the Windows Recovery Console and running ComboFix, upon FireFox restart, FF gave the message that it was no longer the default browser. Not sure what changed this, but I reset it.

=======================================================

ComboFix 08-12-24.01 - Seagate 2008-12-25 19:28:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2048.1426 [GMT -6:00]
Running from: c:\documents and settings\Seagate\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Seagate\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-26 to 2008-12-26 )))))))))))))))))))))))))))))))
.

2008-12-18 19:45 . 2008-12-18 20:09 <DIR> d--h----- C:\_Backup
2008-12-18 19:44 . 2008-12-18 19:44 <DIR> d-------- c:\documents and settings\Seagate\Application Data\EarthLink
2008-12-18 19:43 . 2008-12-18 19:43 <DIR> d-------- c:\program files\EarthLink
2008-12-18 01:13 . 2008-12-25 19:15 <DIR> d-------- c:\program files\Mozilla Firefox 3.0
2008-12-17 22:24 . 2008-12-17 23:00 <DIR> d-------- c:\program files\Mozilla Firefox 3.1 Beta 2
2008-12-17 18:11 . 2008-12-17 18:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2008-12-17 15:48 . 2008-12-17 15:48 <DIR> d-------- c:\documents and settings\Seagate\Application Data\AT&T
2008-12-17 15:47 . 2008-12-17 15:47 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Bytemobile
2008-12-17 15:41 . 2003-09-08 14:43 89,728 --a------ c:\windows\system32\drivers\usbvsp.sys
2008-12-17 15:40 . 2008-12-17 15:40 <DIR> d-------- c:\documents and settings\Seagate\Application Data\DBUpdater
2008-12-17 15:40 . 2008-07-11 12:30 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2008-12-17 15:36 . 2008-12-17 15:36 <DIR> d-------- c:\documents and settings\Seagate\Application Data\Sierra Wireless
2008-12-17 15:36 . 2008-04-17 14:30 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2008-12-17 15:36 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2008-12-17 15:35 . 2008-12-17 15:35 <DIR> d-------- c:\program files\Sierra Wireless Inc
2008-12-17 15:33 . 2008-12-17 15:33 <DIR> d----c--- c:\windows\system32\DRVSTORE
2008-12-17 15:33 . 2008-12-17 15:33 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2008-12-17 15:30 . 2008-12-17 15:30 <DIR> d-------- c:\program files\Option
2008-12-17 08:35 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-17 07:50 . 2008-12-17 12:31 <DIR> d-------- c:\program files\EarthLink Accelerator
2008-12-12 04:11 . 2008-12-12 04:11 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-12 04:11 . 2008-12-12 04:11 76,040 --a------ c:\windows\system32\drivers\avgtdix.sys
2008-12-12 04:11 . 2008-12-12 04:11 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-12 04:10 . 2008-12-24 09:32 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-12 04:10 . 2008-12-12 04:10 <DIR> d-------- c:\program files\AVG
2008-12-12 04:10 . 2008-12-12 21:32 <DIR> d-------- c:\documents and settings\Seagate\Application Data\AVGTOOLBAR
2008-12-12 04:10 . 2008-12-17 22:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-05 15:46 . 2008-12-05 15:46 <DIR> d-------- c:\program files\PayPal
2008-12-05 15:46 . 2008-12-05 15:46 <DIR> d-------- c:\documents and settings\Seagate\Application Data\InstallShield
2008-12-05 05:50 . 2008-12-05 09:37 102,664 --a------ c:\windows\system32\drivers\tmcomm.sys
2008-12-05 05:22 . 2008-12-05 09:39 <DIR> d-------- c:\documents and settings\Seagate\.housecall6.6
2008-12-05 04:46 . 2008-12-05 04:46 <DIR> d-------- c:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-26 01:27 --------- d-----w c:\program files\TurboNote
2008-12-26 00:53 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-26 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-12-25 12:21 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-25 06:00 --------- d-----w c:\program files\CyberPower UPS
2008-12-25 01:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-25 01:28 --------- d-----w c:\program files\SpywareBlaster
2008-12-24 11:16 --------- d-----w c:\program files\Malwarebytes
2008-12-24 02:59 --------- d-----w c:\documents and settings\Seagate\Application Data\OpenOffice.org2
2008-12-19 01:42 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-17 21:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-17 18:59 --------- d-----w c:\program files\QUICKEN2002
2008-12-07 03:22 --------- d-----w c:\program files\Common Files\InstallShield
2008-12-05 20:38 --------- d-----w c:\program files\Java
2008-12-05 15:22 --------- d-----w c:\documents and settings\All Users\Application Data\PCPitstop
2008-12-04 03:47 --------- d-----w c:\program files\PCPitstop
2008-12-04 01:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 01:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-12-04 00:01 11,924,459 ----a-w c:\windows\Internet Logs\tvDebug.zip
2008-11-14 02:32 --------- d-----w c:\program files\Spybot
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2007-07-31 03:04 60,516 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-07-31 03:04 49,246 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-07-31 03:04 165,990 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adsgone"="c:\program files\adsgone\adsgone.exe" [2007-05-30 4411392]
"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower UPS\pppeuser.exe" [2007-01-10 262144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SBAutoUpdate"="c:\program files\SpywareBlaster\sbautoupdate.exe" [2008-06-10 906792]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 144784]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-12 1261336]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Propel Accelerator"="c:\program files\EarthLink Accelerator\trayctl.exe" [2008-12-15 69632]
"LTMSG"="LTMSG.exe" [2003-07-14 c:\windows\ltmsg.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TurboNote.lnk - c:\program files\TurboNote\tbnote.exe [2008-06-30 918840]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FlashPath Monitor.lnk]
backup=c:\windows\pss\FlashPath Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Seagate^Start Menu^Programs^Startup^AdsGone.lnk]
backup=c:\windows\pss\AdsGone.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adsgone

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j2 4.2]
--a------ 2006-07-14 14:03 107008 c:\program files\j2 Messenger 4.2\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBAutoUpdate]
--a------ 2008-06-10 21:19 906792 c:\program files\SpywareBlaster\sbautoupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-07-28 13:19 323584 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PC FineTune Task Manager"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\AdsGone\\AdsGone.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-12 97928]
R1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-12-12 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-12-12 76040]
R2 FlashNT;FlashNT;c:\windows\system32\drivers\FlashNT.sys [2007-12-18 72784]
R2 Sdselect;Sdselect;c:\windows\system32\drivers\Sdselect.sys [2007-12-18 73296]
R3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-28 7408]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
S2 portD;CMS PortIO Service; []
S3 GT72NDISIPXP;GT 72 IP NDIS;c:\windows\system32\DRIVERS\Gt51Ip.sys [2008-02-18 106624]
S3 GT72UBUS;GT 72 U BUS;c:\windows\system32\DRIVERS\gt72ubus.sys [2008-02-08 59648]
S3 GTPTSER;GT PT SER;c:\windows\system32\DRIVERS\gtptser.sys [2007-03-30 8064]
S4 PC FineTune Task Manager;PC FineTune Task Manager;c:\progra~1\EARTHL~2\PCFINE~1\MXTask.exe -Service []
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2008-12-03 77312]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2007-08-13 c:\windows\Tasks\AdsGone.job
- c:\program files\AdsGone\AdsGone.exe [2007-05-30 09:03]

2008-12-25 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~2\Messages\SDNotify.exe [2007-09-26 08:53]

2008-12-22 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot\SpybotSD.exe [2008-07-30 14:45]

2008-12-22 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]

2008-08-14 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe [2008-04-02 08:50]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://webmessenger.yahoo.com/
uInternet Settings,ProxyServer = http=localhost:8080
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Refresh Pa&ge with Full Quality - c:\program files\EarthLink Accelerator\pac-page.html
IE: Refresh Pi&cture with Full Quality - c:\program files\EarthLink Accelerator\pac-image.html
LSP: c:\program files\EarthLink Accelerator\prplsf.dll

c:\windows\Downloaded Program Files\ewidoOnlineScan.dll - O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1}
hxxp://downloads.ewido.net/ewidoOnlineScan.cab

c:\windows\Downloaded Program Files\sysreqlab3.dll - O16 -: {1E54D648-B804-468d-BC78-4AFFED8E262E}
hxxp://www.nvidia.com/content/DriverDow ... eqlab3.cab
c:\windows\Downloaded Program Files\SysReqLab3.osd

c:\windows\Downloaded Program Files\TenebrilSpywareScanner.ocx - O16 -: {32305793-C19A-48E7-AD2F-D87FF7B264A4}
hxxp://download.tenebril.com/pub/bin/sc ... canner.ocx

c:\windows\Downloaded Program Files\pcpitstopAntiVirus.dll - O16 -: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD}
hxxp://utilities.pcpitstop.com/Extermin ... iVirus.dll
FF - ProfilePath - c:\documents and settings\Seagate\Application Data\Mozilla\Firefox\Profiles\hnjs8itb.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wunderground.com/cgi-bin/fin ... uery=72543
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\PayPal\PayPal Plug-In\components\PayPalPlugin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 19:30:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\avgrsstx.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(616)
c:\windows\system32\avgrsstx.dll
c:\program files\EarthLink Accelerator\prplsf.dll
.
Completion time: 2008-12-25 19:32:10
ComboFix-quarantined-files.txt 2008-12-26 01:32:07

Pre-Run: 94,797,672,448 bytes free
Post-Run: 94,926,925,824 bytes free

206 --- E O F --- 2008-08-21 04:06:04

===============================================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:02:57 PM, on 12/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\EarthLink Accelerator\propelac.exe
C:\program files\adsgone\adsgone.exe
C:\Program Files\CyberPower UPS\pppeuser.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\CyberPower UPS\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox 3.0\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmessenger.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~1\PRPL_I~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKCU\..\Run: [Adsgone] c:\program files\adsgone\adsgone.exe -s
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower UPS\pppeuser.exe"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9523293859
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9522871890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower UPS\ppped.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7528 bytes
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 26th, 2008, 6:09 am

Hi,

Still everything looks completely clean.

Step 1: Update Java
Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
First remove the older versions:
  • Click Start
  • Go to Control Panel
  • Go to Add/Remove Programs
  • Find and click Remove for each version of Java that is present
  • Download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.
Now let's download and install the newest version:
  • Download Java SE Runtime Environment (JRE) 6 Update 11 from here: http://java.sun.com/javase/downloads/index.jsp
  • As Platform select your operating system, agree to the License Agreement and click Continue.
  • Now click on the link under Windows Offline Installation and download the installer to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on the download to install the newest version.
  • Reboot your computer.

Step 2: Update Adobe Reader
You can either choose to update to version 8.1.3 or version 9. I recommend that you update to version 8.1.3, because it is as secure as version 9 and less heavy on your system resources. Updating can be done by opening Adobe Reader. If it does not tell you automatically that it has updates ready, you can manually check for updates.

Step 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 4: Run Malwarebytes' Anti-Malware
I see you already have it on your computer, so no need to download it first.
  • Start Malwarebytes' Anti-Malware
  • Make sure you check for updates to have the latest definitions and no bugs.
  • After doing that, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Close the Notepad file.
  • The log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Step 5: Post logs
Please post the following in a reply to me:
  • There are some strange things in your HijackThis log:
    O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
    O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
    O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

    These mean that the defaults for those protocols are not in the Internet Zone, but in My Computer Zone. Do you know anything about this? Are you having problems browsing the internet?
  • JavaRa log
  • MBAM log

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 26th, 2008, 10:44 pm

Hi John,

I’m relieved to know my logs are clean. :D Thank you.

Since my machine “recovered from a serious error” overall performance seems to have improved quite a bit. When switching between programs, hangs, lockups and crashes don’t seem to be happening near as much - though OE locked up on me last night and I couldn’t close it. That was unusual, and I had to restart the computer to get things moving again.

I have updated Java, run ATF Cleaner, am working on updating Adobe, and will run an Mbam scan before I post logs. (I’m also working up a list of neglected Windows updates I ought to install.)

-----------

Um, before I say anything else, :oops: I… uh, have to humbly withdraw this statement:
I am in intermediate to advanced computer user...

Axing "advanced," I'm probably more along the lines of an intermediate skill/knowledge level... with potential for "advanced." :P There is so much to know, and I... well... we sometimes just don’t know, what we don’t know, do we.

That aside…
------------

There are some strange things in your HijackThis log:

Quote:
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

... Do you know anything about this?

I noticed these too and thought they were off. Without some searching and studying, no, I don’t know how to view or change these. Is this something we can correct?

Are you having problems browsing the internet?

Absolutely, YES. Using primarily Firefox and sometimes IE, I have quite a bit of difficulty browsing the internet. Pages often (at least 50% of the time) don’t load at all or they load with errors, i.e., strange, sparse, sprawled out formats with a lot of graphical content missing. I repeatedly have to request page reloads before they’ll load successfully and completely. Browsers freeze, or lock up regularly - a few times within a half an hour, for instance. I thought this might have been a problem with an older version of Firefox, or a poor internet connection, but I still get the same symptoms after installing the latest version of Firefox and with a new phone line installation (yes… <gasp>… dial-up).


--------------

In looking through the HJT Uninstall Manager log, I thought I’d remove and/or change the following list of items. Would any of this interfere with the process we’re working through? If so, I’m fine with waiting. I’d be very grateful for any comments or recommendations you have.

    - AdsGone Spyware Blocker Popup Killer 2007 7.0.8 build 1! [wouldn’t mind considering an alternative ad blocker]
    - Driver Installer [need to look into what installed this; may not be needed]
    - EarthLink PC FineTune [a “sell” that was supposed to improve internet connectivity, and doesn’t – it’s an “optimizer”]
    - Motorola Driver Installation [need to research, don’t have a Motorola product that I know of]
    - Mozilla Firefox (1.5) [no longer in use]
    - Mozilla Firefox (3.1b2) [don’t want to use]
    - PC Pitstop Exterminate2 2.0 [will never use again!]
    - PC Pitstop Optimize2 2.0 [ditto]
    - Spybot - Search & Destroy [not using this much anymore]
    - System Requirements Lab – [don’t know what this is and need to look into it]
    - Uniblue RegistryBooster 2 [will never use again!]
    - Uniblue SpeedUpMyPC 3 [ditto!]
    - ZoneAlarm Pro [wish to replace with Online Armor]


Thank you,
Annie
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 27th, 2008, 1:24 pm

Hi Annie,

Let's comment on your words while waiting for the logs :)

though OE locked up on me last night and I couldn’t close it. That was unusual, and I had to restart the computer to get things moving again.

This does not really have to be a big problem. Everybody's computer locks up every now and then. Still, it must be kept minimal..

Axing "advanced," I'm probably more along the lines of an intermediate skill/knowledge level... with potential for "advanced." :P There is so much to know, and I... well... we sometimes just don’t know, what we don’t know, do we.

That is no problem at all. We are trained to help people who have just enough knowledge to get themselves infected (which nowadays means powering on the computer and connecting to the internet), so any more knowledge you have than that is an advantage ;)

I noticed these too and thought they were off. Without some searching and studying, no, I don’t know how to view or change these. Is this something we can correct?

Absolutely, YES. Using primarily Firefox and sometimes IE, I have quite a bit of difficulty browsing the internet. Pages often (at least 50% of the time) don’t load at all or they load with errors, i.e., strange, sparse, sprawled out formats with a lot of graphical content missing. I repeatedly have to request page reloads before they’ll load successfully and completely. Browsers freeze, or lock up regularly - a few times within a half an hour, for instance. I thought this might have been a problem with an older version of Firefox, or a poor internet connection, but I still get the same symptoms after installing the latest version of Firefox and with a new phone line installation (yes… <gasp>… dial-up).

It is certainly strange, those lines in your log, and I have never seen them before. I will research it a little more and I am sure we can fix it :) It may even turn out to help a little if we are lucky ;)

Still, if those settings were totally wrong you would not be able to browse at all to pages with the common protocols (http, https, ftp, etc).

In looking through the HJT Uninstall Manager log, I thought I’d remove and/or change the following list of items. Would any of this interfere with the process we’re working through? If so, I’m fine with waiting. I’d be very grateful for any comments or recommendations you have.

Not a problem at all. As long as you do not start installing a lot of software as well. One thing about the uninstall log that you must know is that it displays, most of the times, more than you can find in the Add/Remove programs list from your Control Panel. This means that not everything on the list must be taken seriously.

There are a couple of things I want to comment on:
- AdsGone Spyware Blocker Popup Killer 2007 7.0.8 build 1! [wouldn’t mind considering an alternative ad blocker]
If you always use Firefox there is no need for a 'third-party' ad blocker, because the built-in one is pretty good.
- Driver Installer [need to look into what installed this; may not be needed]
- Motorola Driver Installation [need to research, don’t have a Motorola product that I know of]
I recommend that you just leave these installed. They may turn out to be important for some kind of hardware and having a few useless programs installed is not a problem at all.
- Spybot - Search & Destroy [not using this much anymore]
We actually recommend to use this program and as long as you have its TeaTimer (real-time functionality) disabled, it will not cause your computer to slow down.
- System Requirements Lab – [don’t know what this is and need to look into it]
This is something which comes in an ActiveX element most of the times. On some websites you can check if your system is good enough for that particular piece of software and most of the times this little applet is used to check the hardware of your computer. I suggest you just leave it there. Cannot hurt...

Please let me know and do not forget about those logs ;)

Regards,
John.

P.S. I have still not talked about the things found by Kaspersky, but I will later.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 27th, 2008, 7:09 pm

Hi John,

I appreciate your your input. Thank you. :)

I'll proceed with my uninstall plans and follow your recommendations for the items you mentioned: I'll try turning off AdsGone and see if FF's ad blocker is adequate; keep the driver-related items, keep Spybot (yes, TeaTimer disabled ;) ) ; and keep the SysReqLab item. Very good!

----------------

Shall we refer to the strange HJT entries as "the O15 lines"? If that suits you, with regard to the O15 lines, I associate the terms "My Computer Zone" and "Internet Zone" with the Internet Options > Security settings found via the Control Panel or IE's Tools menu. What I find when I look at those settings is disconcerting: On the screen where one can select a Zone, in the area titled "Security level for this zone," one should see a sliding adjustment that allows a setting range from Low to High; that's missing. :? Also, the Defaul Level and Reset... buttons should be available, and they are not. When I click on the Custom Level button, I see a totally blank field :shock: where there should be a scrolling list of radio-button options and settings, as well as a drop-down menu at the bottom where the Low to High settings can be selected. I have attached a couple of screen shots in a Word document so you can see.
Internet Properties, Screenshots.doc

I did a cursory web search on the O15 lines, and all I see up front is somewhat aged forum discussions where folks were just as mystified as we are about the exact same lines.

The only thing I can make of this is, put together with other OS GUI functions that behave as though "broken" (I can provide more detail if needed), it seems my OS might have some damaged or corrupt files. I'm considering utilizing the OS Recovery Console to perform a Windows Repair installation to see if that might fix things. I've done this before on a former hard drive with satisfactory success. Do you suppose that might be a reasonable and safe thing to do?

-------------------

The MBAM scan I ran this morning wasn't complete, as running the Adobe update/installation (I went with version 8.1.3, good suggestion!) along with the scan was apparently too much to ask my machine to do. Both operations ground to a crawling halt, and I restarted the machine to get things moving again. Allowing Adobe to finish updating with no other programs running was the trick. So that's done.

Now, finally, here are my logs. I included a complete MBAM scan up top, that I ran three days ago. I'm confident today's scan would have shown no problems if it had run to completion. The JavaRa log follows. (What a nifty little program!) :)

-------------------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1540
Windows 5.1.2600 Service Pack 2

12/24/2008 9:45:18 AM
mbam-log-2008-12-24 (09-45-18).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 202884
Time elapsed: 3 hour(s), 20 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------
Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 5.1.2600 Service Pack 2

12/27/2008 11:26:56 AM
mbam-log-2008-12-27 (11-26-56).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 125702
Time elapsed: 6 hour(s), 58 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:...[incomplete]

-----------------------------------
JavaRa 1.12 Removal Log.Report follows after line.------------------------------------The JavaRa removal process was

started on Fri Dec 26 08:31:56 2008

Found and removed: Software\Classes\JavaPlugin.160_04------------------------------------Finished reporting.

(No malicious items detected)


------------------------------------

Cheers,
Annie


PS: Thank you for mentioning the Kaspersky findings. I understand, we'll come back around to that.
You do not have the required permissions to view the files attached to this post.
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

O15 lines - revised thinking

Unread postby EtchaSketch » December 28th, 2008, 8:12 am

Good morning, John. :)

I've been searching deeper for information about Internet Security Zones, and I'm finding rather interesting information. I now think I should not rush into performing a Windows Repair installation and try tinkering with other routes first.

Have a look at this: http://support.microsoft.com/kb/555599
How To Add My Computer As the Fifth Internet Explorer Security Zone

I just followed the instructions therein, after backing up the registry of course ;) , and I can now see My Computer as an available security zone under Internet Options/Properties. Hmmm… so, if that can be done so easily, perhaps there is not much more to making the invisible Security Settings re-appear... and perhaps correcting the strange O15 lines… ?

What do you think?

Cheers,
Annie
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 28th, 2008, 8:32 am

Hi Annie,

Please fix all those O15 entries with HijackThis. This will correct the zones to default automatically. Then reboot and post a fresh HijackThis log. Also see if the GUI is fine now.

About the Kaspersky results. They are about e-mails that contain malware in terms of attachments or links, etc. Most of the things found in YOUR e-mail folders are about phishing/fraud, so links to false PayPal and Ebay sites. Of course this is not a problem unless you follow the instructions those e-mails give.

The problem of the newer version of the Kaspersky Online Scanner is that it does not display what e-mail it exactly is that is malicious. The older version did do this.

Let's go through most that were found by Kaspersky:
C:\Documents and Settings\Seagate\My Documents\Backup\Outlook Express Data and Settings from Annie\Message Store\Earthlink\Bank One.dbx
C:\Documents and Settings\Seagate\My Documents\Backup\Outlook Express Data and Settings from Annie\Message Store\Earthlink\PayPal, Panelopee.dbx
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx << lots in this one
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Sent Items.dbx

All these are in backup folders. This means that you are not using these folders, probably, and have no change of reading those unless you import them again. You COULD delete these and make new backups, but like I said, the malware found is not very dangerous..

A couple of others are more interesting:
D:\Outlook Express Data and Settings\Message Store\Earthlink\Bank One.dbx
D:\Outlook Express Data and Settings\Message Store\Earthlink\PayPal, Panelopee.dbx

These two are not in backup folders, so I do not know if these are the ones you are using or not. You may want to go through the Bank One and PayPay, Panalopee folders in the reader you use for your e-mail and see if there are any that you may think are the culprit and/or are useless.

There is one that I do not know of what it would be:
D:\Backup Files\zzz Archives\Microsoft.rar

It is in a backup folder, but in a zipped file/archive. Do you know what is inside that archive?

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 28th, 2008, 11:06 am

Hi John,

Fixing the O15 entries with HJT isn't working. I tried it a few times: Ran the scan, ticked the check boxes for all the O15 lines, clicked "Fix checked," restarted scanned again, and there they are, still there. During the scan, while it zips along speedily for all other lines, it stalls for about 15 seconds and shows this message in the status bar: "O15 - Trusted Zone enumeration... "

The GUI didn't change.

Here is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:25:32 AM, on 12/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberPower UPS\ppped.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\CyberPower UPS\pppeuser.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\EarthLink Accelerator\propelac.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmessenger.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~1\PRPL_I~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower UPS\pppeuser.exe"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9523293859
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9522871890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower UPS\ppped.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7771 bytes
-----------------------------------------------

On the Kaspersky items, all that you say makes sense. It's too bad the Kaspersky Online Scanner did not keep the feature of identifying specific emails... sure would have been helpful.

At any rate, deleting the old backups is not a problem... I need to clean up my mess of backups anyway.

These are part of my current message storage.
    D:\Outlook Express Data and Settings\Message Store\Earthlink\Bank One.dbx
    D:\Outlook Express Data and Settings\Message Store\Earthlink\PayPal, Panelopee.dbx
I looked through these folders and didn't see anything that looked like a phishing/fraud email. Everything there is out of date and not used, so I just deleted them. That ought to give me a clean, current backup.

This one,
    D:\Backup Files\zzz Archives\Microsoft.rar ,
turns out to be another backup of email folders. It's a little puzzling because I'm not sure that's what I would have named it. Nevertheless, it's very old and can be deleted.

Cheers,
~ Annie ~
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 28th, 2008, 12:11 pm

P.S. I've also tried removing the O15 lines one at a time. No workie. :scratch:
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby John B. » December 28th, 2008, 1:03 pm

Hi Annie,

Doesn't ZoneAlarm also control those zones? Please look through all the tabs and settings and see if ZoneAlarm has nothing to do with it.

If you like to, you can do another scan with Kaspersky Online Scanner and see if it comes back clean now.

Regards,
John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Re: Fraud Trojan-Spy files found; on the verge of wiping my hd

Unread postby EtchaSketch » December 28th, 2008, 9:11 pm

Hi John,

I looked through Zone Alarm's settings. The only thing that I can tell might be associated is the Firewall Zones area. The only item defined there is my LAN, in the "Trusted" zone. To experiment, I switched it to "Internet" zone, then ran an HJT scan. The O15 lines still showed up, I "fixed" them, ran the scan again, and still there.

I then shut down Zone Alarm, ran an HJT scan, fixed the O15 items, and still no change.

I checked the Internet Options, Security settings GUI throughout that process, and no change - still a blank.

I want to uninstall Zone Alarm anyway. Perhaps it might be worth doing that :?: and then check for/fix the O15 strangeness :?:

I've deleted all the folders in which Kaspersky found suspicious / infected files, making sure there was not anything I needed to save. I am now waiting for Kaspersky Online Scanner to update its database before I scan again. If it seems thorough enough and reasonable to you, for expediency, I thought I'd only scan the directories from which I made deletions.

In the mean time, I'm still searching, reading and tinkering with anything that might help with the O15 / security settings problem.

Cheers,
Annie
EtchaSketch
Regular Member
 
Posts: 24
Joined: December 21st, 2008, 1:15 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 298 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware