Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Antivirus program 2 trojan horses quarantined

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 5th, 2009, 1:46 am

My antivirus program says there are two TR/Crypt.XDR.Generic Trojan horse viruses in its quarantine, and they are on two windows archive files.
Computer was not taking me to the web pages that I punched in, it would redirect me. Sorry in advance that I do not now much about computers.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:02 PM, on 3/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guidingstar.co.uk/start/startca.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/ ... mailto.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3837989077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3837976374
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register ... lashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer = 142.161.130.154 142.161.2.154
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4753 bytes
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm
Advertisement
Register to Remove

Re: Antivirus program 2 trojan horses quarantined

Unread postby Dakeyras » March 7th, 2009, 4:52 pm

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hi judyplantz and welcome to Malware Removal :)

I'm Dakeyras and I am going to try to assist you with your problem. Please take note of the below:

  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine!.
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • It may prove beneficial if you print of the following instructions or save them to notepad as I post them.
  • Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.

Next:

OK lets have a more in-depth scan of you computer as follows:

  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
Please make sure that RSIT.exe is on the your Desktop before running the application.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.

When completed the above, please post back the following in the order asked for:

  • How is you computer performing now, any other symptoms ?
  • Both RSIT Logs. <-- Post them individually please.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 7th, 2009, 8:19 pm

Logfile of random's system information tool 1.05 (written by random/random)
Run by judy at 2009-03-07 18:04:20
Microsoft Windows XP Professional Service Pack 3
System drive C: has 72 GB (94%) free of 76 GB
Total RAM: 239 MB (43% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:29 PM, on 3/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Stamina\Stamina.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\judy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\judy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guidingstar.co.uk/start/startca.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/ ... mailto.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3837989077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3837976374
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register ... lashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer = 142.161.130.154 142.161.2.154
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5585 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{2F596269-74BE-4162-88E1-E16F297CDF22}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-07 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-07 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-03 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"=LTMSG.exe 7 []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-03 148888]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-25 68856]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

2009-03-06 16:38:11 ----D---- C:\Program Files\Stamina
2009-03-06 16:21:40 ----D---- C:\WINDOWS\system32\Adobe
2009-03-04 23:21:22 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-04 23:21:07 ----D---- C:\Program Files\SUPERAntiSpyware
2009-03-04 23:21:07 ----D---- C:\Documents and Settings\judy\Application Data\SUPERAntiSpyware.com
2009-03-04 21:31:08 ----D---- C:\Program Files\Avira
2009-03-04 21:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-03-04 18:39:04 ----D---- C:\Documents and Settings\judy\Application Data\Malwarebytes
2009-03-04 18:38:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-04 18:38:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-04 17:56:23 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-04 17:55:25 ----D---- C:\Program Files\Trend Micro
2009-03-04 16:54:23 ----D---- C:\Program Files\CCleaner
2009-03-03 10:42:37 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-03 10:42:36 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-03 10:42:36 ----A---- C:\WINDOWS\system32\java.exe
2009-03-03 10:42:11 ----D---- C:\Program Files\Java
2009-02-25 18:27:52 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-02-18 15:37:22 ----D---- C:\Documents and Settings\judy\Application Data\gtk-2.0
2009-02-18 13:14:28 ----D---- C:\Program Files\Yahoo!
2009-02-10 09:06:26 ----A---- C:\WINDOWS\system32\sysguard.exe
2009-02-09 13:54:40 ----A---- C:\WINDOWS\WORDPAD.INI
2009-02-09 13:18:24 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-06 17:16:23 ----HD---- C:\$AVG8.VAULT$
2009-01-09 08:43:48 ----A---- C:\WINDOWS\system32\HSF_INST.dll
2009-01-08 20:20:23 ----A---- C:\WINDOWS\ModemLog_Agere Win Modem.txt
2009-01-04 08:49:55 ----D---- C:\rsit
2008-12-31 09:29:41 ----A---- C:\WINDOWS\ModemLog_PCI Soft Voice SoftRing Modem.txt
2008-12-12 09:31:34 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-10 17:50:22 ----D---- C:\WINDOWS\system32\FlashAX
2008-12-10 17:49:44 ----D---- C:\Documents and Settings\All Users\Application Data\Microgaming
2008-12-10 17:49:44 ----D---- C:\Documents and Settings\All Users\Application Data\MGS

======List of files/folders modified in the last 3 months======

2009-03-07 18:03:58 ----D---- C:\WINDOWS\Prefetch
2009-03-07 16:53:08 ----D---- C:\WINDOWS
2009-03-07 16:37:07 ----D---- C:\WINDOWS\Temp
2009-03-07 09:30:02 ----N---- C:\WINDOWS\SchedLgU.Txt
2009-03-06 16:38:11 ----RD---- C:\Program Files
2009-03-06 16:21:50 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-06 16:21:48 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-06 16:21:40 ----D---- C:\WINDOWS\system32
2009-03-04 23:21:14 ----SHD---- C:\WINDOWS\Installer
2009-03-04 21:31:11 ----D---- C:\WINDOWS\system32\drivers
2009-03-04 18:13:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-04 18:10:58 ----SD---- C:\Documents and Settings\judy\Application Data\Microsoft
2009-03-04 17:56:23 ----D---- C:\Program Files\Common Files
2009-03-04 16:57:02 ----D---- C:\WINDOWS\Minidump
2009-03-04 16:57:02 ----D---- C:\WINDOWS\Debug
2009-02-28 23:00:39 ----A---- C:\WINDOWS\win.ini
2009-02-26 09:31:10 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-02-25 18:34:10 ----D---- C:\Program Files\Adobe
2009-02-25 18:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-02-25 10:30:09 ----HD---- C:\WINDOWS\inf
2009-02-25 10:29:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-25 09:57:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-11 12:14:51 ----D---- C:\Program Files\Internet Explorer
2009-02-03 17:21:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-16 21:35:14 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-01-08 20:22:05 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-08 20:20:09 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2009-01-08 20:20:05 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-07 12:35:42 ----D---- C:\Program Files\Google
2009-01-07 09:25:03 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-12-28 18:15:03 ----SHD---- C:\System Volume Information
2008-12-28 18:15:03 ----D---- C:\WINDOWS\system32\Restore
2008-12-20 17:15:41 ----A---- C:\WINDOWS\system32\wininet.dll
2008-12-20 17:15:40 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-12-20 17:15:40 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-12-20 17:15:39 ----A---- C:\WINDOWS\system32\url.dll
2008-12-20 17:15:38 ----N---- C:\WINDOWS\system32\occache.dll
2008-12-20 17:15:38 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-12-20 17:15:32 ----N---- C:\WINDOWS\system32\mstime.dll
2008-12-20 17:15:31 ----N---- C:\WINDOWS\system32\msrating.dll
2008-12-20 17:15:30 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-12-20 17:15:24 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-12-20 17:15:23 ----N---- C:\WINDOWS\system32\jsproxy.dll
2008-12-20 17:15:23 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-12-20 17:15:22 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-12-20 17:15:21 ----N---- C:\WINDOWS\system32\iernonce.dll
2008-12-20 17:15:21 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-12-20 17:15:16 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2008-12-20 17:15:15 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-12-20 17:15:14 ----N---- C:\WINDOWS\system32\ieaksie.dll
2008-12-20 17:15:14 ----N---- C:\WINDOWS\system32\ieakeng.dll
2008-12-20 17:15:13 ----N---- C:\WINDOWS\system32\extmgr.dll
2008-12-20 17:15:13 ----A---- C:\WINDOWS\system32\icardie.dll
2008-12-20 17:15:13 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-12-20 17:15:12 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-12-20 17:15:11 ----A---- C:\WINDOWS\system32\advpack.dll
2008-12-20 08:30:31 ----SD---- C:\WINDOWS\Tasks
2008-12-19 03:10:15 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2008-12-19 03:10:15 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-12-18 23:23:56 ----N---- C:\WINDOWS\system32\ieakui.dll
2008-12-18 22:04:09 ----D---- C:\WINDOWS\ie7updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 Fallback;Fallback; C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 SoftFax;SoftFax; C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\system32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys []
S3 basic2;basic2; C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2007-11-21 37376]
S3 hsf_msft;hsf_msft; C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 Rksample;Rksample; C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-03 152984]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-07 137200]

-----------------EOF-----------------
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 7th, 2009, 8:22 pm

The only symptom that I see now is that my computer seems a bit slower than usual, and seems "jumpy". When I have to key in passwords, it seems to jump, or is it paranoia knowing that there had been a virus? But honestly, I don't remember that happening before.
Here is the second requested file.



info.txt logfile of random's system information tool 1.05 2009-03-07 18:04:32

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_0531C63A913CC9D1.exe" /uninstall
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Java(TM) 6 Update 12-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
REALTEK GbE & FE Ethernet PCI NIC Driver-->C:\Program Files\InstallShield Installation Information\{ACCA20B0-C4D1-4BF5-BF21-0A0EB5EF9730}\setup.exe -runfromtemp -l0x0009 -removeonly
Security Update for Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Stamina 2.5-->"C:\Program Files\Stamina\uninstall.exe"
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"

======Security center information======

AV: Avira AntiVir PersonalEdition

System event log

Computer Name: JUDY-5A1OOROSGK
Event Code: 7035
Message: The Network Location Awareness (NLA) service was successfully sent a start control.

Record Number: 4621
Source Name: Service Control Manager
Time Written: 20090109084929.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: JUDY-5A1OOROSGK
Event Code: 7035
Message: The Fast User Switching Compatibility service was successfully sent a start control.

Record Number: 4620
Source Name: Service Control Manager
Time Written: 20090109084929.000000-360
Event Type: information
User: NT AUTHORITY\SYSTEM

Computer Name: JUDY-5A1OOROSGK
Event Code: 7036
Message: The Terminal Services service entered the running state.

Record Number: 4619
Source Name: Service Control Manager
Time Written: 20090109084929.000000-360
Event Type: information
User:

Computer Name: JUDY-5A1OOROSGK
Event Code: 6005
Message: The Event log service was started.

Record Number: 4618
Source Name: EventLog
Time Written: 20090109084838.000000-360
Event Type: information
User:

Computer Name: JUDY-5A1OOROSGK
Event Code: 6009
Message: Microsoft (R) Windows (R) 5.01. 2600 Service Pack 3 Uniprocessor Free.

Record Number: 4617
Source Name: EventLog
Time Written: 20090109084838.000000-360
Event Type: information
User:

Application event log

Computer Name: JUDY-5A1OOROSGK
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 340
Source Name: SecurityCenter
Time Written: 20081128082742.000000-360
Event Type: information
User:

Computer Name: JUDY-5A1OOROSGK
Event Code: 1
Message:
Record Number: 339
Source Name: avg8emc
Time Written: 20081127184746.000000-360
Event Type: information
User:

Computer Name: JUDY-5A1OOROSGK
Event Code: 1800
Message: The Windows Security Center Service has started.

Record Number: 338
Source Name: SecurityCenter
Time Written: 20081127184727.000000-360
Event Type: information
User:

Computer Name: JUDY-5A1OOROSGK
Event Code: 11724
Message: Product: SmartFTP Client -- Removal completed successfully.

Record Number: 337
Source Name: MsiInstaller
Time Written: 20081127094248.000000-360
Event Type: information
User: JUDY-5A1OOROSGK\judy

Computer Name: JUDY-5A1OOROSGK
Event Code: 11707
Message: Product: SmartFTP Client -- Installation completed successfully.

Record Number: 336
Source Name: MsiInstaller
Time Written: 20081127093817.000000-360
Event Type: information
User: JUDY-5A1OOROSGK\judy

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 1, GenuineIntel
"PROCESSOR_REVISION"=0401
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO

-----------------EOF-----------------
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby Dakeyras » March 8th, 2009, 8:31 am

Hi :)

The only symptom that I see now is that my computer seems a bit slower than usual, and seems "jumpy". When I have to key in passwords, it seems to jump, or is it paranoia knowing that there had been a virus? But honestly, I don't remember that happening before.
Here is the second requested file.
OK thank you for the clarification. I do have some concerns over the following:

2009-02-10 09:06:26 ----A---- C:\WINDOWS\system32\sysguard.exe
Preliminary research does reveal it is malware in nature but I wish to investigate which particular strain it is before we proceed with any proactive measures.

Please do not be alarmed at this stage OK :thumbup:

Next:

Make sure Hidden Files are visible:

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.

Next:

There aforementioned file I would like to check, please carry out the following:

Note: Internet Explorer is the browser to use for best results.

  • Please go to VirSCAN.org free on-line scan service.
  • Copy and paste the following file path into the "Suspicious files to scan" box at the top of the page:

    C:\WINDOWS\system32\sysguard.exe

  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply. (Ctrl & V)

Next:

Please download Rooter.exe to your desktop.

  • Then double-click it to start the tool.
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt.
  • Post the contents of Rooter.txt in your next reply.

Random Access Memory:

Total RAM: 239 MB (43% free)
Some friendly advice concerning the above. It would be prudent in the future to consider installing some new upgraded memory modules.

Though Microsoft claims XP will run with a mere 128 MB installed in my humble opinion a minimum of 1 GB is far better.

If you wish to upgrade the installed memory, Crucial have a Active X scanner which is perfectly safe and will advise if your system can support any upgraded memory modules. They cater for the US/UK and Europe.

SUPERAntiSpyware Advice:

If not aware the aforementioned application comes with a component called Bootsafe, do not for any reason use this component , if used on an infected computer it could render it UNBOOTABLE.

Next:

Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)

  • Double click once on RSIT.exe
  • RSIT will start running, at the disclaimer click on Continue.
  • When done, 1 log will be produced.
  • Post that in your next reply.

When completed the above, please post back the following:

  • Any problems encountered and or further symptoms?
  • File submission results.
  • Rooter.txt.
  • A new RSIT Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 8th, 2009, 10:34 am

Thanks;

I wanted to let you know that my computer adopted an annoying new system last night. Now when I turn it on it says that my antivirus is not working, yet when I go to antivirus, it is on. I thought at first that it was because it hadn't opened up yet (this antivirus prog is new to me); but I had never seen that happen before, and have not changed the settings on it.

By the way, just in case you are reading this, I intend to add the files to this post.


VirSCAN.org Scanned Report :
Scanned time : 2009/03/08 09:52:50 (CDT)
Scanner results: 8% Scanner(3/37) found malware!
File Name : sysguard.exe
File Size : 198788 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 2051ca9e3bb6e45d76611ad25d0bbd08
SHA1 : 60befa3b7cd839f9c864a563472cf315949ddea2
Online report : http://virscan.org/report/4a704391a090c ... 5fc1e.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090308223224 2009-03-08 2.54 -
AhnLab V3 2009.03.07.01 2009.03.07 2009-03-07 1.13 -
AntiVir 7.9.0.105 7.1.2.135 2009-03-07 1.90 -
Antiy 2.0.18 20090308.2212560 2009-03-08 0.12 -
Authentium 5.1.1 200903071729 2009-03-07 1.18 -
AVAST! 3.0.1 090307-0 2009-03-07 0.90 -
AVG 7.5.52.442 270.11.9/1989 2009-03-07 1.98 -
BitDefender 7.81008.2770348 7.24049 2009-03-08 2.60 -
CA (VET) 9.0.0.143 31.6.6386 2009-03-07 5.34 -
ClamAV 0.94.2 9080 2009-03-07 0.15 -
Comodo 3.8 1037 2009-03-08 1.11 -
CP Secure 1.1.0.715 2009.03.08 2009-03-08 7.41 W32.IM.W.Sohanad.as
Dr.Web 4.44.0.9170 2009.03.08 2009-03-08 4.53 -
F-Prot 4.4.4.56 20090307 2009-03-07 1.16 -
F-Secure 5.51.6100 2009.03.08.01 2009-03-08 5.07 -
Fortinet 2.81-3.117 10.132 2009-03-07 0.24 -
GData 19.3745/19.252 20090308 2009-03-08 3.46 -
ViRobot 20090307 2009.03.07 2009-03-07 0.41 -
Ikarus T3.1.01.45 2009.03.08.72398 2009-03-08 4.52 -
JiangMin 11.0.706 2009.03.06 2009-03-06 1.59 -
Kaspersky 5.5.10 2009.03.08 2009-03-08 0.28 -
KingSoft 2009.2.5.15 2009.3.8.15 2009-03-08 0.70 -
McAfee 5.3.00 5546 2009-03-07 2.84 -
Microsoft 1.4405 2009.03.08 2009-03-08 4.84 -
mks_vir 2.01 2009.03.08 2009-03-08 2.93 -
Norman 6.00.06 6.00.00 2009-03-06 8.01 -
Panda 9.05.01 2009.03.07 2009-03-07 1.58 -
Trend Micro 8.700-1004 5.884.33 2009-03-08 0.08 -
Quick Heal 10.00 2009.03.07 2009-03-07 1.00 -
Rising 20.0 21.19.42.00 2009-03-06 0.40 Trojan.DL.Agent.gol
Sophos 2.84.1 4.39 2009-03-08 2.41 -
Sunbelt 5030 5030 2009-03-07 1.34 -
Symantec 1.3.0.24 20090307.003 2009-03-07 0.41 -
nProtect 20090307.01 3288711 2009-03-07 4.78 -
The Hacker 6.3.2.7 v00275 2009-03-07 0.58 W32/Sohanad.bb
VBA32 3.12.10.1 20090307.1637 2009-03-07 1.95 -
VirusBuster 4.5.11.10 10.102.2/968427 2009-03-07 1.57 -








Microsoft Windows XP Professional (5.1.2600) Service Pack 3

A:\ [Removable] (Total:0 Mo/Free:0 Mo)
C:\ [Fixed] - NTFS - (Total:76316 Mo/Free:2292 Mo)
D:\ [CD-Rom] (Total:0 Mo/Free:0 Mo)

Sun 03/08/2009|10:00

----------------------\\ Processes..

--Locked-- [System Process]
---------- System
---------- \SystemRoot\System32\smss.exe
---------- \??\C:\WINDOWS\system32\csrss.exe
---------- \??\C:\WINDOWS\system32\winlogon.exe
---------- C:\WINDOWS\system32\services.exe
---------- C:\WINDOWS\system32\lsass.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\system32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\System32\svchost.exe
---------- C:\WINDOWS\Explorer.EXE
---------- C:\WINDOWS\system32\spoolsv.exe
---------- C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
---------- C:\WINDOWS\LTMSG.exe
---------- C:\Program Files\Java\jre6\bin\jusched.exe
---------- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
---------- C:\WINDOWS\system32\ctfmon.exe
---------- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
---------- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
---------- C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
---------- C:\Program Files\Java\jre6\bin\jqs.exe
---------- C:\WINDOWS\system32\msfeedssync.exe
---------- C:\WINDOWS\System32\alg.exe
---------- C:\DOCUME~1\judy\LOCALS~1\Temp\SSUPDATE.EXE
---------- C:\Program Files\Internet Explorer\IEXPLORE.EXE
---------- C:\WINDOWS\system32\notepad.exe
---------- C:\WINDOWS\system32\cmd.exe
---------- C:\Rooter$\RK.exe

----------------------\\ Search..

----------------------\\ ROOTKIT !!



1 - "C:\Rooter$\Rooter_1.txt" - Sun 03/08/2009|10:00

----------------------\\ Scan completed at 10:00




Logfile of random's system information tool 1.05 (written by random/random)
Run by judy at 2009-03-08 10:11:19
Microsoft Windows XP Professional Service Pack 3
System drive C: has 72 GB (94%) free of 76 GB
Total RAM: 239 MB (49% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:11:29 AM, on 3/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\DOCUME~1\judy\LOCALS~1\Temp\SSUPDATE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\judy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\judy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guidingstar.co.uk/start/startca.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/ ... mailto.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3837989077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3837976374
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register ... lashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer = 142.161.130.154 142.161.2.154
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5663 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{2F596269-74BE-4162-88E1-E16F297CDF22}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-07 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-07 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-03 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"=LTMSG.exe 7 []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-03 148888]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-25 68856]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 3 months======

2009-03-08 10:00:54 ----A---- C:\Rooter.txt
2009-03-08 10:00:19 ----D---- C:\Rooter$
2009-03-06 17:38:11 ----D---- C:\Program Files\Stamina
2009-03-06 17:21:40 ----D---- C:\WINDOWS\system32\Adobe
2009-03-05 00:21:22 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-05 00:21:07 ----D---- C:\Program Files\SUPERAntiSpyware
2009-03-05 00:21:07 ----D---- C:\Documents and Settings\judy\Application Data\SUPERAntiSpyware.com
2009-03-04 22:31:08 ----D---- C:\Program Files\Avira
2009-03-04 22:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-03-04 19:39:04 ----D---- C:\Documents and Settings\judy\Application Data\Malwarebytes
2009-03-04 19:38:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-04 19:38:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-04 18:56:23 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-04 18:55:25 ----D---- C:\Program Files\Trend Micro
2009-03-04 17:54:23 ----D---- C:\Program Files\CCleaner
2009-03-03 11:42:37 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-03 11:42:36 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-03 11:42:36 ----A---- C:\WINDOWS\system32\java.exe
2009-03-03 11:42:11 ----D---- C:\Program Files\Java
2009-02-25 19:27:52 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-02-18 16:37:22 ----D---- C:\Documents and Settings\judy\Application Data\gtk-2.0
2009-02-18 14:14:28 ----D---- C:\Program Files\Yahoo!
2009-02-10 10:06:26 ----A---- C:\WINDOWS\system32\sysguard.exe
2009-02-09 14:54:40 ----A---- C:\WINDOWS\WORDPAD.INI
2009-02-09 14:18:24 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-06 18:16:23 ----HD---- C:\$AVG8.VAULT$
2009-01-09 09:43:48 ----A---- C:\WINDOWS\system32\HSF_INST.dll
2009-01-08 21:20:23 ----A---- C:\WINDOWS\ModemLog_Agere Win Modem.txt
2009-01-04 09:49:55 ----D---- C:\rsit
2008-12-31 10:29:41 ----A---- C:\WINDOWS\ModemLog_PCI Soft Voice SoftRing Modem.txt
2008-12-12 10:31:34 ----A---- C:\WINDOWS\system32\deploytk.dll
2008-12-10 18:50:22 ----D---- C:\WINDOWS\system32\FlashAX
2008-12-10 18:49:44 ----D---- C:\Documents and Settings\All Users\Application Data\Microgaming
2008-12-10 18:49:44 ----D---- C:\Documents and Settings\All Users\Application Data\MGS

======List of files/folders modified in the last 3 months======

2009-03-08 10:00:33 ----D---- C:\WINDOWS\Prefetch
2009-03-08 09:44:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-08 09:21:41 ----D---- C:\WINDOWS\system32
2009-03-08 09:21:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-08 09:20:09 ----D---- C:\WINDOWS\Temp
2009-03-07 23:38:14 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-07 20:44:58 ----D---- C:\WINDOWS
2009-03-06 17:38:11 ----RD---- C:\Program Files
2009-03-06 17:21:50 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-05 00:21:14 ----SHD---- C:\WINDOWS\Installer
2009-03-04 22:31:11 ----D---- C:\WINDOWS\system32\drivers
2009-03-04 19:13:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-04 19:10:58 ----SD---- C:\Documents and Settings\judy\Application Data\Microsoft
2009-03-04 18:56:23 ----D---- C:\Program Files\Common Files
2009-03-04 17:57:02 ----D---- C:\WINDOWS\Minidump
2009-03-04 17:57:02 ----D---- C:\WINDOWS\Debug
2009-03-01 00:00:39 ----A---- C:\WINDOWS\win.ini
2009-02-26 10:31:10 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-02-25 19:34:10 ----D---- C:\Program Files\Adobe
2009-02-25 19:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-02-25 11:30:09 ----HD---- C:\WINDOWS\inf
2009-02-25 11:29:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-25 10:57:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-11 13:14:51 ----D---- C:\Program Files\Internet Explorer
2009-02-03 18:21:12 ----A---- C:\WINDOWS\system32\MRT.exe
2009-01-16 22:35:14 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-01-08 21:22:05 ----D---- C:\WINDOWS\system32\CatRoot
2009-01-08 21:20:09 ----A---- C:\WINDOWS\ModemLog_Lucent Win Modem.txt
2009-01-08 21:20:05 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-01-07 13:35:42 ----D---- C:\Program Files\Google
2009-01-07 10:25:03 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2008-12-28 19:15:03 ----SHD---- C:\System Volume Information
2008-12-28 19:15:03 ----D---- C:\WINDOWS\system32\Restore
2008-12-20 18:15:41 ----A---- C:\WINDOWS\system32\wininet.dll
2008-12-20 18:15:40 ----A---- C:\WINDOWS\system32\webcheck.dll
2008-12-20 18:15:40 ----A---- C:\WINDOWS\system32\urlmon.dll
2008-12-20 18:15:39 ----A---- C:\WINDOWS\system32\url.dll
2008-12-20 18:15:38 ----N---- C:\WINDOWS\system32\occache.dll
2008-12-20 18:15:38 ----A---- C:\WINDOWS\system32\pngfilt.dll
2008-12-20 18:15:32 ----N---- C:\WINDOWS\system32\mstime.dll
2008-12-20 18:15:31 ----N---- C:\WINDOWS\system32\msrating.dll
2008-12-20 18:15:30 ----A---- C:\WINDOWS\system32\mshtmled.dll
2008-12-20 18:15:24 ----A---- C:\WINDOWS\system32\msfeedsbs.dll
2008-12-20 18:15:23 ----N---- C:\WINDOWS\system32\jsproxy.dll
2008-12-20 18:15:23 ----A---- C:\WINDOWS\system32\msfeeds.dll
2008-12-20 18:15:22 ----A---- C:\WINDOWS\system32\iertutil.dll
2008-12-20 18:15:21 ----N---- C:\WINDOWS\system32\iernonce.dll
2008-12-20 18:15:21 ----A---- C:\WINDOWS\system32\ieframe.dll
2008-12-20 18:15:16 ----N---- C:\WINDOWS\system32\iedkcs32.dll
2008-12-20 18:15:15 ----A---- C:\WINDOWS\system32\ieapfltr.dll
2008-12-20 18:15:14 ----N---- C:\WINDOWS\system32\ieaksie.dll
2008-12-20 18:15:14 ----N---- C:\WINDOWS\system32\ieakeng.dll
2008-12-20 18:15:13 ----N---- C:\WINDOWS\system32\extmgr.dll
2008-12-20 18:15:13 ----A---- C:\WINDOWS\system32\icardie.dll
2008-12-20 18:15:13 ----A---- C:\WINDOWS\system32\dxtrans.dll
2008-12-20 18:15:12 ----A---- C:\WINDOWS\system32\dxtmsft.dll
2008-12-20 18:15:11 ----A---- C:\WINDOWS\system32\advpack.dll
2008-12-20 09:30:31 ----SD---- C:\WINDOWS\Tasks
2008-12-19 04:10:15 ----N---- C:\WINDOWS\system32\ie4uinit.exe
2008-12-19 04:10:15 ----A---- C:\WINDOWS\system32\ieudinit.exe
2008-12-19 00:23:56 ----N---- C:\WINDOWS\system32\ieakui.dll
2008-12-18 23:04:09 ----D---- C:\WINDOWS\ie7updates

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 Fallback;Fallback; C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 SoftFax;SoftFax; C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\system32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys []
S3 basic2;basic2; C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2007-11-21 37376]
S3 hsf_msft;hsf_msft; C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 Rksample;Rksample; C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-03 152984]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-07 137200]

-----------------EOF-----------------
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby Dakeyras » March 9th, 2009, 5:17 am

Hi :)

Thanks;
You're welcome!

I wanted to let you know that my computer adopted an annoying new system last night. Now when I turn it on it says that my antivirus is not working, yet when I go to antivirus, it is on. I thought at first that it was because it hadn't opened up yet (this antivirus prog is new to me); but I had never seen that happen before, and have not changed the settings on it.
This is most likely relating to the quarantined files and the remnants of the malware infection still present. As far as I can tell your installation appears to be fine and fully active. Please do keep myself informed however if anything else strange occurs.

Now I am going to ask you run a specific application which has multi features. You are doing very well so far and we are progressing just fine :thumbup:

Next:

Please download SmitfraudFix (by S!Ri) to your Desktop.

Alternate download locations:

From GeekstoGo
From Security Cadets
From Zebulon

  • Double click on SmitfraudFix.exe.
  • Press 1 then hit the Enter key.
  • It will create a report named rapport.txt, usually at C drive.
  • Please post back this log in your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Read more here.

Next:

Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)

  • Double click once on RSIT.exe
  • RSIT will start running, at the disclaimer click on Continue.
  • When done, 1 log will be produced.
  • Post that in your next reply.

When completed the above, please post back the following:

  • Any problems encountered and or further symptoms?
  • Rapport.txt.
  • A new RSIT Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 9th, 2009, 10:49 am

No problems, just one thing that I had noticed, when I try to Google some phrases, the browser freezes; that's it for now.


SmitFraudFix v2.400

Scan done at 9:45:49.67, Mon 03/09/2009
Run from C:\Documents and Settings\judy\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process



======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{2F596269-74BE-4162-88E1-E16F297CDF22}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-07 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-07 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-03 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"=LTMSG.exe 7 []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-03 148888]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-25 68856]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-09 09:45:57 ----A---- C:\WINDOWS\system32\tmp.txt
2009-03-09 09:45:49 ----A---- C:\rapport.txt
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\swsc.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\swreg.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\Process.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-03-08 10:00:54 ----A---- C:\Rooter.txt
2009-03-08 10:00:19 ----D---- C:\Rooter$
2009-03-06 17:38:11 ----D---- C:\Program Files\Stamina
2009-03-06 17:21:40 ----D---- C:\WINDOWS\system32\Adobe
2009-03-05 00:21:22 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-05 00:21:07 ----D---- C:\Program Files\SUPERAntiSpyware
2009-03-05 00:21:07 ----D---- C:\Documents and Settings\judy\Application Data\SUPERAntiSpyware.com
2009-03-04 22:31:08 ----D---- C:\Program Files\Avira
2009-03-04 22:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-03-04 19:39:04 ----D---- C:\Documents and Settings\judy\Application Data\Malwarebytes
2009-03-04 19:38:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-04 19:38:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-04 18:56:23 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-04 18:55:25 ----D---- C:\Program Files\Trend Micro
2009-03-04 17:54:23 ----D---- C:\Program Files\CCleaner
2009-03-03 11:42:37 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-03 11:42:36 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-03 11:42:36 ----A---- C:\WINDOWS\system32\java.exe
2009-03-03 11:42:11 ----D---- C:\Program Files\Java
2009-02-25 19:27:52 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-02-18 16:37:22 ----D---- C:\Documents and Settings\judy\Application Data\gtk-2.0
2009-02-18 14:14:28 ----D---- C:\Program Files\Yahoo!
2009-02-10 10:06:26 ----A---- C:\WINDOWS\system32\sysguard.exe

======List of files/folders modified in the last 1 months======

2009-03-09 09:48:44 ----A---- C:\WINDOWS\ModemLog_Agere Win Modem.txt
2009-03-09 09:46:40 ----D---- C:\WINDOWS\Prefetch
2009-03-09 09:45:58 ----D---- C:\WINDOWS\system32
2009-03-09 09:18:55 ----D---- C:\WINDOWS\Temp
2009-03-08 23:54:18 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-08 09:44:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-08 09:21:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-07 20:44:58 ----D---- C:\WINDOWS
2009-03-07 19:06:52 ----D---- C:\rsit
2009-03-06 17:38:11 ----RD---- C:\Program Files
2009-03-06 17:21:50 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-05 00:21:14 ----SHD---- C:\WINDOWS\Installer
2009-03-04 22:31:11 ----D---- C:\WINDOWS\system32\drivers
2009-03-04 19:13:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-04 19:10:58 ----SD---- C:\Documents and Settings\judy\Application Data\Microsoft
2009-03-04 18:56:23 ----D---- C:\Program Files\Common Files
2009-03-04 17:57:02 ----D---- C:\WINDOWS\Minidump
2009-03-04 17:57:02 ----D---- C:\WINDOWS\Debug
2009-03-04 13:36:13 ----HD---- C:\$AVG8.VAULT$
2009-03-03 11:42:22 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-01 00:00:39 ----A---- C:\WINDOWS\win.ini
2009-02-26 10:31:10 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-02-25 19:34:10 ----D---- C:\Program Files\Adobe
2009-02-25 19:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-02-25 11:30:09 ----HD---- C:\WINDOWS\inf
2009-02-25 11:29:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-25 10:57:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-11 13:14:51 ----D---- C:\Program Files\Internet Explorer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 Fallback;Fallback; C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 SoftFax;SoftFax; C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\system32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys []
S3 basic2;basic2; C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2007-11-21 37376]
S3 hsf_msft;hsf_msft; C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 Rksample;Rksample; C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-03 152984]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-07 137200]

-----------------EOF-----------------


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Stamina\Stamina.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\judy


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\judy\LOCALS~1\Temp


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\judy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\judy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» o4Patch
!!!Attention, following keys are not inevitably infected!!!

o4Patch
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri



»»»»»»»»»»»»»»»»»»»»»»»» Agent.OMZ.Fix
!!!Attention, following keys are not inevitably infected!!!

Agent.OMZ.Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» RK



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 142.161.130.154
DNS Server Search Order: 142.161.2.154

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer=142.161.130.154 142.161.2.154
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer=142.161.130.154 142.161.2.154


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End





Logfile of random's system information tool 1.05 (written by random/random)
Run by judy at 2009-03-09 09:50:27
Microsoft Windows XP Professional Service Pack 3
System drive C: has 72 GB (94%) free of 76 GB
Total RAM: 239 MB (53% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:50:36, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Stamina\Stamina.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\judy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\judy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.guidingstar.co.uk/start/startca.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/ ... mailto.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3837989077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3837976374
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.eu/Register ... lashax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer = 142.161.130.154 142.161.2.154
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5579 bytes
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby Dakeyras » March 9th, 2009, 12:10 pm

Hi :)

No problems, just one thing that I had noticed, when I try to Google some phrases, the browser freezes; that's it for now.
OK thank you for informing myself. We will still what we can do to remedy this.

Backup the Registry:

Modifying the Registry can create unforeseen problems, so it always wise to create a backup before doing so.

  • Please go here and download ERUNT.
  • ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.
  • Install ERUNT by following the prompts.
  • Use the default install settings but say no to the portion that asks you to add ERUNT to the Start-Up folder. You can enable this option later if you wish.
  • Start ERUNT either by double clicking on the desktop icon or choosing to start the program at the end of the setup process.
  • Choose a location for the backup. Note: the default location is C:\WINDOWS\ERDNT which is acceptable.
  • Make sure that at least the first two check boxes are selected.
  • Click on OK
  • Then click on YES to create the folder.
Note: if it is necessary to restore the registry, open the backup folder and start ERDNT.exe

Next:

Please download OTMoveIT3 to your Desktop.

  • Double-click OTMoveIt3.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
Code: Select all
:processes
explorer.exe

:Reg
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.msn.com"
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
[-HKEY_CLASSES_ROOT\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D8089245-3211-40F6-819B-9E5E92CD61A2}]
[-HKEY_CLASSES_ROOT\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}]

:File
C:\WINDOWS\system32\sysguard.exe
C:\Documents and Settings\All Users\Application Data\avg8

:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTMoveIt3.

Next:

Please launch your installed Malwarebytes' Anti-Malware application via:

  • Start >> All Programs >> Malwarebytes' Anti-Malware >> Malwarebytes' Anti-Malware.
  • Then click on the Update tab >> Check for Updates <-- If required reboot(restart) your computer.
  • Now click on Scanner then select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
  1. Launch Malwarebytes' Anti-Malware
  2. Click on the Logs radio tab.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to Restart the computer, please do so immediately.

Next:

Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)

  • Double click once on RSIT.exe
  • RSIT will start running, at the disclaimer click on Continue.
  • When done, 1 log will be produced.
  • Post that in your next reply.

When completed the above, please post back the following:

  • Any problems encountered and or further symptoms?
  • OTMoveIT3 Log.
  • Malwarebytes' Anti-Malware Log.
  • A new RSIT Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 9th, 2009, 1:45 pm

I did everything you asked. I should let you know that when I ran ERUNT, it placed a file on my start bar, and on my desktop, the file says NTREGOPT - C:\Program Files ERUNT






========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\\"Start Page"|"http://www.msn.com" /E : value set successfully!
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}\\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{02478D38-C3F9-4efb-9B51-7695ECA05670}\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{c95fe080-8f5d-11d2-a20b-00aa003c157a}\\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D8089245-3211-40F6-819B-9E5E92CD61A2}\\ deleted successfully.
Registry key HKEY_CLASSES_ROOT\CLSID\{D8089245-3211-40F6-819B-9E5E92CD61A2}\\ deleted successfully.
Error: Unable to interpret <:File> in the current context!
Error: Unable to interpret <C:\WINDOWS\system32\sysguard.exe> in the current context!
Error: Unable to interpret <C:\Documents and Settings\All Users\Application Data\avg8> in the current context!
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_610.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_123555

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_610.dat not found!



------------------------------------------------------------------------------------------




Malwarebytes' Anti-Malware 1.34
Database version: 1828
Windows 5.1.2600 Service Pack 3

3/9/2009 1:11:33 PM
mbam-log-2009-03-09 (13-11-33).txt

Scan type: Full Scan (A:\|C:\|D:\|)
Objects scanned: 76773
Time elapsed: 17 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


------------------------------------------------------------------------------------------



Logfile of random's system information tool 1.05 (written by random/random)
Run by judy at 2009-03-09 13:13:14
Microsoft Windows XP Professional Service Pack 3
System drive C: has 72 GB (94%) free of 76 GB
Total RAM: 239 MB (45% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:13:19, on 3/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\judy\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\judy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/ ... mailto.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 3837989077
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 3837976374
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9535DC02-ECC3-4712-A6CE-7620E7198714}: NameServer = 142.161.130.154 142.161.2.154
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 4777 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\User_Feed_Synchronization-{2F596269-74BE-4162-88E1-E16F297CDF22}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-07 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-01-07 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-03 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-03 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-01-07 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"LTMSG"=LTMSG.exe 7 []
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-03 148888]
"avgnt"=C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe [2008-06-12 266497]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2008-10-25 68856]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2009-02-17 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

======List of files/folders created in the last 1 months======

2009-03-09 12:35:55 ----D---- C:\_OTMoveIt
2009-03-09 12:28:40 ----D---- C:\WINDOWS\ERDNT
2009-03-09 12:26:45 ----D---- C:\Program Files\ERUNT
2009-03-09 09:45:57 ----A---- C:\WINDOWS\system32\tmp.txt
2009-03-09 09:45:49 ----A---- C:\rapport.txt
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\VACFix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\swxcacls.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\swsc.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\swreg.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\Process.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\o4Patch.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\IEDFix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\dumphive.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2009-03-09 09:45:08 ----A---- C:\WINDOWS\system32\404Fix.exe
2009-03-08 10:00:54 ----A---- C:\Rooter.txt
2009-03-08 10:00:19 ----D---- C:\Rooter$
2009-03-06 17:38:11 ----D---- C:\Program Files\Stamina
2009-03-06 17:21:40 ----D---- C:\WINDOWS\system32\Adobe
2009-03-05 00:21:22 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-05 00:21:07 ----D---- C:\Program Files\SUPERAntiSpyware
2009-03-05 00:21:07 ----D---- C:\Documents and Settings\judy\Application Data\SUPERAntiSpyware.com
2009-03-04 22:31:08 ----D---- C:\Program Files\Avira
2009-03-04 22:31:08 ----D---- C:\Documents and Settings\All Users\Application Data\Avira
2009-03-04 19:39:04 ----D---- C:\Documents and Settings\judy\Application Data\Malwarebytes
2009-03-04 19:38:57 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-03-04 19:38:57 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-03-04 18:56:23 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-03-04 18:55:25 ----D---- C:\Program Files\Trend Micro
2009-03-04 17:54:23 ----D---- C:\Program Files\CCleaner
2009-03-03 11:42:37 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-03 11:42:36 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-03 11:42:36 ----A---- C:\WINDOWS\system32\java.exe
2009-03-03 11:42:11 ----D---- C:\Program Files\Java
2009-02-25 19:27:52 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-02-18 16:37:22 ----D---- C:\Documents and Settings\judy\Application Data\gtk-2.0
2009-02-18 14:14:28 ----D---- C:\Program Files\Yahoo!
2009-02-10 10:06:26 ----A---- C:\WINDOWS\system32\sysguard.exe

======List of files/folders modified in the last 1 months======

2009-03-09 13:12:34 ----A---- C:\WINDOWS\ModemLog_Agere Win Modem.txt
2009-03-09 12:46:01 ----D---- C:\WINDOWS\Prefetch
2009-03-09 12:37:37 ----D---- C:\WINDOWS\Temp
2009-03-09 12:36:52 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-03-09 12:28:40 ----D---- C:\WINDOWS
2009-03-09 12:26:45 ----RD---- C:\Program Files
2009-03-09 09:45:58 ----D---- C:\WINDOWS\system32
2009-03-08 09:44:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-03-08 09:21:40 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-07 19:06:52 ----D---- C:\rsit
2009-03-06 17:21:50 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-03-05 00:21:14 ----SHD---- C:\WINDOWS\Installer
2009-03-04 22:31:11 ----D---- C:\WINDOWS\system32\drivers
2009-03-04 19:13:15 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2009-03-04 19:10:58 ----SD---- C:\Documents and Settings\judy\Application Data\Microsoft
2009-03-04 18:56:23 ----D---- C:\Program Files\Common Files
2009-03-04 17:57:02 ----D---- C:\WINDOWS\Minidump
2009-03-04 17:57:02 ----D---- C:\WINDOWS\Debug
2009-03-04 13:36:13 ----HD---- C:\$AVG8.VAULT$
2009-03-03 11:42:22 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-01 00:00:39 ----A---- C:\WINDOWS\win.ini
2009-02-26 10:31:10 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-02-25 19:34:10 ----D---- C:\Program Files\Adobe
2009-02-25 19:34:08 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-02-25 11:30:09 ----HD---- C:\WINDOWS\inf
2009-02-25 11:29:56 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-02-25 10:57:51 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-11 13:14:51 ----D---- C:\Program Files\Internet Explorer

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2008-10-30 75072]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2007-03-01 28352]
R2 Fallback;Fallback; C:\WINDOWS\system32\DRIVERS\HSF_FALL.sys [2001-08-17 289887]
R2 Fsks;Fsks; C:\WINDOWS\system32\DRIVERS\HSF_FSKS.sys [2001-08-17 115807]
R2 K56;K56; C:\WINDOWS\system32\DRIVERS\HSF_K56K.sys [2001-08-17 391199]
R2 SoftFax;SoftFax; C:\WINDOWS\system32\DRIVERS\HSF_FAXX.sys [2001-08-17 199711]
R2 Tones;Tones; C:\WINDOWS\system32\DRIVERS\HSF_TONE.sys [2001-08-17 50751]
R2 V124;V124; C:\WINDOWS\system32\DRIVERS\HSF_V124.sys [2001-08-17 488383]
R3 avgntflt;avgntflt; \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys []
R3 ltmodem5;Agere Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2003-12-12 652689]
R3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys []
S3 basic2;basic2; C:\WINDOWS\system32\DRIVERS\HSF_BSC2.sys [2001-08-17 67167]
S3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINDOWS\system32\drivers\es1371mp.sys [2007-11-21 37376]
S3 hsf_msft;hsf_msft; C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys [2001-08-17 542879]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 Rksample;Rksample; C:\WINDOWS\system32\DRIVERS\HSF_SAMP.sys [2001-08-17 57471]
S3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-04 20992]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler; C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe [2008-10-15 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard; C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe [2008-10-15 151297]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-03 152984]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-07 137200]

-----------------EOF-----------------
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby Dakeyras » March 9th, 2009, 5:51 pm

Hi :)

I did everything you asked. I should let you know that when I ran ERUNT, it placed a file on my start bar, and on my desktop, the file says NTREGOPT - C:\Program Files ERUNT
That is fine, either leave them in place or delete. It can still be accessed via Start >> All Programs >> ERUNT
It reletes to the registry optimize component of Erunt and not required to be used for creating any back-ups.

Next:

  • Double-click OTMoveIt3.exe to start the program.
  • Copy the lines from the codebox to the clipboard by highlighting ALL of them and pressing CTRL + B (or, after highlighting, right-click and choose Copy):
Code: Select all
:processes
explorer.exe

:Files
C:\WINDOWS\system32\sysguard.exe
C:\Documents and Settings\All Users\Application Data\avg8
C:\Documents and Settings\judy\Application Data\gtk-2.0

:Commands
[EmptyTemp]
[Start Explorer]
[Reboot]
  • Return to OTMoveIt3, right-click in the "Paste instructions for items to be moved" window (under the yellow bar) and choose Paste
  • Then click the red MoveIt! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of it and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it into your next response.
  • If OTMoveIt asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
  • Close OTMoveIt3.

Next:

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

This online tuturial will help explain how to use the aforementioned online scan.

Next:

Please make sure that RSIT.exe is still on the Desktop.(if not inform myself straight away please)

  • Double click once on RSIT.exe
  • RSIT will start running, at the disclaimer click on Continue.
  • When done, 1 log will be produced.
  • Post that in your next reply.

When completed the above, please post back the following:

  • Any problems encountered and or further symptoms ?
  • Kaspersky scan results.
  • A new RSIT Log.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 9th, 2009, 9:22 pm

The only new symptom I noticed was that my clock reset to military time.
By the way, a new folder appeared on my desktop, it says Smitfraud fix, and it has a lot of exe. files in it. Will I be needing it? Can I move it?


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\sysguard.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update\prepare moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update\backup moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\temp moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\scanlogs moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Log moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\TEMP moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\OUT moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\ACTIVE moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Dumps moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\cfgall moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Cfg moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\AvgApi moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\admincli moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8 moved successfully.
C:\Documents and Settings\judy\Application Data\gtk-2.0 moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_200006

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_5f8.dat not found!
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 9th, 2009, 9:22 pm

The only new symptom I noticed was that my clock reset to military time.
By the way, a new folder appeared on my desktop, it says Smitfraud fix, and it has a lot of exe. files in it. Will I be needing it? Can I move it?


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\sysguard.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update\prepare moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update\backup moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\temp moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\scanlogs moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Log moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\TEMP moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\OUT moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\ACTIVE moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Dumps moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\cfgall moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Cfg moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\AvgApi moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\admincli moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8 moved successfully.
C:\Documents and Settings\judy\Application Data\gtk-2.0 moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_200006

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_5f8.dat not found!
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby judyplantz » March 9th, 2009, 9:22 pm

The only new symptom I noticed was that my clock reset to military time.
By the way, a new folder appeared on my desktop, it says Smitfraud fix, and it has a lot of exe. files in it. Will I be needing it? Can I move it?


========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
C:\WINDOWS\system32\sysguard.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update\prepare moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update\backup moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\update moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\temp moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\scanlogs moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Log moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\TEMP moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\OUT moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue\ACTIVE moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Queue moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\emc moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Dumps moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\cfgall moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\Cfg moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\AvgApi moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\AvgAm moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8\admincli moved successfully.
C:\Documents and Settings\All Users\Application Data\avg8 moved successfully.
C:\Documents and Settings\judy\Application Data\gtk-2.0 moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5f8.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 03092009_200006

Files moved on Reboot...
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINDOWS\temp\Perflib_Perfdata_5f8.dat not found!


Will have the rest posted in a while.
judyplantz
Banned Member
 
Posts: 29
Joined: December 28th, 2008, 8:10 pm

Re: Antivirus program 2 trojan horses quarantined

Unread postby Dakeyras » March 10th, 2009, 8:11 am

Hi :)

The only new symptom I noticed was that my clock reset to military time.
Thats fine, change the setting if you so wish.

By the way, a new folder appeared on my desktop, it says Smitfraud fix, and it has a lot of exe. files in it. Will I be needing it? Can I move it?
Nothing to cause concern with. When I give the all clear malware wise I will provide instructions, on how to remove all tools and reports that have been used/generated during the course of this malware removal process.

Will have the rest posted in a while.
OK that is fine. Post both the Kaspersky scan results A new RSIT Log when ready.
User avatar
Dakeyras
MRU Honors Graduate
MRU Honors Graduate
 
Posts: 8732
Joined: November 21st, 2007, 5:30 am
Location: The Tundra
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 70 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware