Free Malware Removal Forum

[SkyWriting]

There are only two lines I'm worried about here. But you guys are better than me.
I already deleted "Total Security" from my startup, but I'm suspicious.
It was like 162538363.exe and _Abrw.exe
See anything else?

Thanks
Chuck

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:14:35 AM, on 8/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\Explorer.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
G:\PROGRA~1\AVG\AVG8\avgtray.exe
G:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe
C:\Program Files\CorelIOMonitor.exe
G:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
G:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\locate32\locate32.exe
G:\Program Files\Java\jre6\bin\jqs.exe
G:\Program Files\Micro Niche Finder\srvany.exe
G:\Program Files\Micro Niche Finder\bggoogle.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\PROGRA~1\AVG\AVG8\avgam.exe
G:\PROGRA~1\AVG\AVG8\avgrsx.exe
G:\WINDOWS\system32\HPZipm12.exe
G:\PROGRA~1\AVG\AVG8\avgnsx.exe
G:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\alg.exe
G:\Program Files\AVG\AVG8\avgui.exe
G:\WINDOWS\system32\taskmgr.exe
G:\Program Files\AVG\AVG8\avgscanx.exe
G:\Program Files\AVG\AVG8\avgcsrvx.exe
G:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\uninstaller.exe
G:\Program Files\Innovative Solutions\Advanced Uninstaller PRO - Version 9\monitor.exe
K:\C 2009-04-30 00;05;56\Program Files\Trend Micro\HijackThis\HijackThis.exe
G:\Program Files\Mozilla Firefox\firefox.exe

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav
F2 - REG:system.ini: UserInit=G:\WINDOWS\system32\userinit.exe,G:\WINDOWS\system32\sdra64.exe,
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Corel Photo Downloader] "G:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe" -startup
O4 - HKLM\..\Run: [Corel File Shell Monitor] C:\Program Files\CorelIOMonitor.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://G:\WINDOWS\system32\GPhotos.scr/200
O20 - AppInit_DLLs: G:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3044 bytes

[Shaba]

Hi SkyWriting

:
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post

[Shaba]

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.