I have been very troubled by increasingly poor function of my computer for the last few months. This started not long after I upgraded memory to 2GB last August. The machine ran more efficiently, as expected, for a short time. Then performance started mysteriously going downhill.
A number of “strange” things have happened, an account of which I have available and will supply if requested. For now, I don't want to overload my initial plea for help with too much information.
I am in intermediate to advanced computer user who has done everything I know, and that has been recommended, to improve computer performance. Out of I desperation, have utilized several performance “optimizer” programs with no improvement.
I have repeatedly run a variety of anti-virus and anti-malware scans, most of which have found nothing at all, and some have detected what seemed to be minor problems that were quarantined or removed.
What brings me here today to ask for help, is that I ran a Kaspersky scan yesterday that found seven fraud-related “trojan-spy” files on my secondary hard drive. In reading about how these codes work, all the computer troubles I've had over the last several months have begun to make sense. The primary indicator is that, indeed, a credit card number I used to make a purchase online (the same month “strange things started to happen”) had been detected and used without my authorization. (That matter has been resolved with my bank and the merchant.)
I am VERY concerned that my computer activities are being monitored or harvested and that poor performance might be related to Kaspersky's findings.
My HJT log follows. Because it's so relevant to why I'm asking for help, I have included the Kaspersky Online Scanner Report of yesterday.
Thank you in advance for your help.
================================================================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:30 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\LTMSG.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\program files\adsgone\adsgone.exe
C:\Program Files\CyberPower UPS\pppeuser.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\CyberPower UPS\ppped.exe
C:\PROGRA~1\EARTHL~2\PCFINE~1\mxtask.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox 3.0\firefox.exe
C:\Program Files\PayPal\PayPal Plug-In\RBroker.exe
C:\Program Files\EarthLink Accelerator\propelac.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmessenger.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: Accelerator Plugin - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\PROGRA~1\EARTHL~1\PRPL_I~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: OToolbarHelper Class - {EAD3A971-6A23-4246-8691-C9244E858967} - C:\Program Files\PayPal\PayPal Plug-In\PayPalHelper.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\EarthLink Accelerator\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Adsgone] c:\program files\adsgone\adsgone.exe -s
O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower UPS\pppeuser.exe"
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink Accelerator\pac-image.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\Spybot\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab3.cab
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://download.tenebril.com/pub/bin/sc ... canner.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 9523293859
O16 - DPF: {6824D897-F7E1-4E41-B84B-B1D3FA4BF1BD} (PCPitstop AntiVirus) - http://utilities.pcpitstop.com/Extermin ... iVirus.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 9522871890
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: PC FineTune Task Manager - Avanquest Publishing USA, Inc. - C:\PROGRA~1\EARTHL~2\PCFINE~1\MXTask.exe
O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower UPS\ppped.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 8103 bytes
================================================================================
Note: While watching the Kaspersky scan, at 88% complete, it suddenly stopped and indicated completed.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, December 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 20, 2008 06:56:40
Records in database: 1490569
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Scan statistics:
Files scanned: 151823
Threat name: 7
Infected objects: 7
Suspicious objects: 8
Duration of the scan: 09:28:12
File name / Threat name / Threats count
C:\Documents and Settings\Seagate\My Documents\Backup\Outlook Express Data and Settings from Annie\Message Store\Earthlink\Bank One.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Seagate\My Documents\Backup\Outlook Express Data and Settings from Annie\Message Store\Earthlink\PayPal, Panelopee.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Backup Files\zzz Archives\Microsoft.rar
Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Citifraud.ae 1
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Smitfraud.c 1
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Bankfraud.w 1
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Bayfraud.ib 1
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Email-Worm.Win32.Bagle.ck 1
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Inbox.dbx
Infected: Trojan-Spy.HTML.Paylap.ev 2
D:\Documents and Settings\All Users\Documents\David's Backup Files\Outlook Express Data and Settings\Message Store\David\Sent Items.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Outlook Express Data and Settings\Message Store\Earthlink\Bank One.dbx
Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\Outlook Express Data and Settings\Message Store\Earthlink\PayPal, Panelopee.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
The selected area was scanned.
---------------------------------------------------------------------------------
end