Many Thanks - What you guys are doing here is amazing.
I connect to the internet using a netgear router. Any advice on how to check I've not fallen victim to the DNS thingy would be great. I've restored my router settings from a previously saved setup. I had hoped this would be sufficient?
A momentary lapse in concentration had me clicking on a Facebook message with a link to what I thought was a video, but turned out to be a poisonned website: youtube-x
This then asked me to update my Flash and before I knew it the Trojan was downloaded and a similar message was sent to everyone in my friends list.
I've run Trend Micro house call, Smitfradfix.exe, Kaspersky online scanner, Malwarebytes.exe and ESET. The thing that really worries me is I seem to pick up the browser hijack everytime I visit my Facebook profile. Is it possible my profile is infected on Facebook's server?
I'm running Kaspersky online again now. I'll add it's findings to this post when it has finished. It has already found 8 threat names and 9 infected objects!
I should be really grateful if someone would check my HJT log to see if I have been successful at removng all this crud from my PC. Also, if you have any advice on what I could do to speed up my machine that would be great.
Kind Regards,
Pete
Logfile of HijackThis v1.99.1
Scan saved at 07:24:17, on 11/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.PDeskNet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zoom Telephonics, Inc\Zoom ADSL USB Modem\dslmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {36be52fc-3977-4402-8fb2-be1941edb829} - (no file)
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Matrox PowerDesk 8] C:\WINDOWS\system32\PowerDesk8\Matrox.PowerDesk.exe /silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: DSLMON.lnk = ?
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(3).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Poker Million Online Poker - {47C16927-7BDE-465a-8E68-CE9C2CBB15B7} - C:\Program Files\pokermillionMPP\MPPoker.exe
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net ... plugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 4512224742
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4512843296
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://tw.msi.com.tw/autobios/LOnline/install.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IPSEC Services (PolicyAgent) (ipsec services (policyagent) ) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe (file missing)
O23 - Service: MGAFGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgafg.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
Monday, November 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, November 24, 2008 05:19:21
Records in database: 1407005
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Scan statistics
Files scanned 171233
Threat name 10
Infected objects 11
Suspicious objects 7
Duration of the scan 05:28:06
File name Threat name Threats count
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\.housecall6.6\Quarantine\72FE3D8E-000001B4.eml.bac_a08224 Infected: Trojan-Spy.Win32.Zbot.dkx 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Hotmail Pension Crisis - Deleted Items.dbx Infected: Worm.Win32.AutoRun.lyo 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Hotmail Pension Crisis - Deleted Items.dbx Infected: Worm.Win32.AutoRun.mfa 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Hotmail Pension Crisis - Deleted Items.dbx Infected: Worm.Win32.AutoRun.muu 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Hotmail Pension Crisis - Deleted Items.dbx Infected: Worm.Win32.AutoRun.nof 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Hotmail Pension Crisis - Deleted Items.dbx Infected: Worm.Win32.AutoRun.pzo 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Hotmail Pension Crisis - Deleted Items.dbx Infected: Email-Worm.Win32.Druzgl.a 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Sent Items.bak Infected: Backdoor.Win32.Breplibot.a 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Sent Items.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Sent Items.dbx Infected: Backdoor.Win32.Breplibot.a 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Identities\{18ED4CC1-80A6-4C4B-ACC8-C9C05F86955B}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\Deleted Items\6AB9622A-0000001C.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Microsoft\Windows Live Mail\Hotmail\Deleted Items\7BDB4229-0000034C.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Sent Items\0276121D-000020E5.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Sent Items\4EE0441A-000013E7.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Peter.PETER-5I5G2Y5MD\Local Settings\Application Data\Microsoft\Windows Live Mail\Storage Folders\Sent Items\5BA74539-000031D0.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1