Caz Posted July 10, 2008 ID:22421 Share Posted July 10, 2008 Ok, ran daughters laptop as Admin, in safe mode, managed to d/l anti-malware prog from here,Log of the quick scan follows:Malwarebytes' Anti-Malware 1.20Database version: 935Windows 5.1.2600 Service Pack 23:00:04 PM 10/07/2008mbam-log-7-10-2008 (14-59-59).txtScan type: Quick ScanObjects scanned: 49250Time elapsed: 8 minute(s), 24 second(s)Memory Processes Infected: 1Memory Modules Infected: 2Registry Keys Infected: 34Registry Values Infected: 8Registry Data Items Infected: 3Malwarebytes' Anti-Malware 1.20Database version: 935Windows 5.1.2600 Service Pack 23:29:14 PM 10/07/2008mbam-log-7-10-2008 (15-29-14).txtScan type: Quick ScanObjects scanned: 49250Time elapsed: 8 minute(s), 24 second(s)Memory Processes Infected: 1Memory Modules Infected: 2Registry Keys Infected: 34Registry Values Infected: 8Registry Data Items Infected: 3Folders Infected: 12Files Infected: 50Memory Processes Infected:C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Unloaded process successfully.Memory Modules Infected:C:\WINDOWS\system32\efcCvUlm.dll (Trojan.Vundo) -> Unloaded module successfully.C:\WINDOWS\system32\geBtTKCr.dll (Trojan.Vundo) -> Unloaded module successfully.Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d67649d-4e34-4e6b-8d8f-b2258c88ee8a} (Trojan.Vundo) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{3d67649d-4e34-4e6b-8d8f-b2258c88ee8a} (Trojan.Vundo) -> Delete on reboot.HKEY_CLASSES_ROOT\CLSID\{3ba3028f-fd37-46bf-ad27-733734684f06} (Trojan.Vundo) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ba3028f-fd37-46bf-ad27-733734684f06} (Trojan.Vundo) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebttkcr (Trojan.Vundo) -> Delete on reboot.HKEY_CLASSES_ROOT\f406.f406mgr (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\f406.f406mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{1b12f639-cba9-45dd-89fe-9fa7d4340716} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b12f639-cba9-45dd-89fe-9fa7d4340716} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{101900f3-7aeb-4e3b-b4cc-dcb483b3b92f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{9c7e91a9-0001-4c4e-bcc2-a56bc8329049} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{a59c4135-df7a-4666-8129-478376867b3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{8663655c-f6d4-4520-859e-67008902a889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8663655c-f6d4-4520-859e-67008902a889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{f70c9bf7-63da-40cc-a57c-b874b07259e0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{7f62b052-bbd3-476f-a8d5-aea51d86367a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{80123684-a222-4009-8220-a867294d6de8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 pro (Rogue.Antivirus2008) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} (Trojan.Clicker) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{847bbd3d-f172-4601-8968-4c0e2cf4ec2e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{8e5f73bf-6d5d-4713-bce9-ced3018182b0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{f684ef8d-6ff8-4eec-8984-a2f6fa2d9eda} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{2503a820-0a9c-4265-b76d-85c6e57363f2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{71ddc372-b232-4855-a11a-ccc601f6c372} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\nqgpedlr.bxod (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\nqgpedlr.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7405c5df (Trojan.Vundo) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3ba3028f-fd37-46bf-ad27-733734684f06} (Trojan.Vundo) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{80123684-a222-4009-8220-a867294d6de8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\checkvoid (Trojan.Clicker) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviirus (Trojan.Downloader) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\okmdepgb (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\axrfgvek (Trojan.FakeAlert) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccvulm -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccvulm -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-640-8365391-23951) -> Quarantined and deleted successfully.Folders Infected:C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\WINDOWS\system32\778670 (Trojan.BHO) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.Files Infected:C:\WINDOWS\system32\efcCvUlm.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\mlUvCcfe.ini (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\mlUvCcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\tcrrjsdm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\mdsjrrct.ini (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\geBtTKCr.dll (Trojan.Vundo) -> Delete on reboot.C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\WINDOWS\system32\778670\778670.dll (Trojan.BHO) -> Quarantined and deleted successfully.C:\WINDOWS\kgqfweltmrg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\nqgpedlr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\esrp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\khfGaaWo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\lprn32.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\02W0SBON\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\1Z0MAXMT\1215385821[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\1Z0MAXMT\226[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\1Z0MAXMT\Antivirus2008PRO[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\DCJX9BC3\Install_226_-1_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\FBTZOKWE\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE\vbase.dat (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080708011521290.log (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709001331630.log (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709005015273.log (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709010639612.log (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710130402654.log (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710133854702.log (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\Administrator\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.C:\WINDOWS\Resources\CheckVoid.dll (Trojan.Clicker) -> Quarantined and deleted successfully.C:\Program Files\antiviirus.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\Program Files\tmp0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Program Files\tmp1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Program Files\tmp2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\okmdepgb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\mrvtdpqe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\axrfgvek.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Application Data\TmpRecentIcons\antivirus-2008pro.lnk (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.C:\Documents and Settings\Dell\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.Folders Infected: 12Files Infected: 50About to sort out HJT d/l so will add that log once done I'm actually cringing here at the amount of infected files she has :-( Link to post Share on other sites More sharing options...
Caz Posted July 10, 2008 Author ID:22422 Share Posted July 10, 2008 HJT Log:Malwarebytes' Anti-Malware 1.20Database version: 935Windows 5.1.2600 Service Pack 23:00:04 PM 10/07/2008mbam-log-7-10-2008 (14-59-59).txtScan type: Quick ScanObjects scanned: 49250Time elapsed: 8 minute(s), 24 second(s)Memory Processes Infected: 1Memory Modules Infected: 2Registry Keys Infected: 34Registry Values Infected: 8Registry Data Items Infected: 3Folders Infected: 12Files Infected: 50Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:11:00 PM, on 10/07/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: Safe mode with network supportRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\PROGRA~1\Mozilla Firefox\firefox.exeC:\Documents and Settings\Administrator\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = R3 - Default URLSearchHook is missingO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dllO3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dllO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exeO4 - HKLM\..\Run: [7405c5df] rundll32.exe "C:\WINDOWS\system32\tcrrjsdm.dll",bO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXEO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exeO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Global Startup: BTTray.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO21 - SSODL: okmdepgb - {8E5F73BF-6D5D-4713-BCE9-CED3018182B0} - C:\WINDOWS\okmdepgb.dllO21 - SSODL: axrfgvek - {2503A820-0A9C-4265-B76D-85C6E57363F2} - C:\WINDOWS\axrfgvek.dllO21 - SSODL: CheckVoid - {bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} - C:\WINDOWS\Resources\CheckVoid.dllO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exeO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeO23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeO23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exeO23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exeO23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exeO23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exeO23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe-- Link to post Share on other sites More sharing options...
1972vet Posted July 10, 2008 ID:22426 Share Posted July 10, 2008 Are you not able to boot her computer to the normal windows user mode? The reason I ask is that mbam works best in normal mode. Link to post Share on other sites More sharing options...
1972vet Posted July 10, 2008 ID:22434 Share Posted July 10, 2008 Let's try to uninstall a couple of the problems...Please click start-->Control Panel-->Add/Remove Programs. Scroll down the list to locate the program names:Antivirus 2008 PROJava (jre1.6.0_02)Click on each (one at a time) to highlight them, then click Remove. Reboot when finished uninstalling. When we are satisfied the system is cleaned, we can download the latest version of Java.You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.I am going to give you two sets of instructions...both relating to the Smitfraud infection that you have. The first set of instructions will cause the tool that we will download, to find the bad files. The second set will allow the tool to delete the bad files it found. With each set there is a log generated. It is important that you remember to post both logs in your next reply. You must perform these steps exactly as presented and cannot skip a step. The application will delete nothing unless you first allow it to find the bad files...which is why you must follow these instructions exactly as presented:Set #1Please download:SmitfraudFix (by S!Ri)Extract the content (a folder named SmitfraudFix) to your Desktop.Open the SmitfraudFix folder and double-click smitfraudfix.cmdSelect option #1 - Search by typing 1 and press"Enter"; a text file will appear, which lists infected files (if present). Please remember to copy/paste the content of that report into your next reply.Note :process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.Set#2Next, reboot the computer into Safemode.Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmdSelect option #2 - Clean by typing 2 and press"Enter" to delete infected files.You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into your Normal Windows user mode.A text file will appear onscreen, with results from the cleaning process; please remember to copy/paste the content of that report into your next reply as well.The report can also be found at the root of the system drive, usually at C:\rapport.txtWarning : running option #2 on a non infected computer will remove your Desktop background.Next, please download SDFix and save it to your Desktop.Double click SDFix.exe and the files will be extracted to %systemdrive%(Drive that contains the Windows Directory, typically C:\SDFix)Reboot the computer into Safe mode again. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt(Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum).Please run HijackThis again and check the box next to these entries that may still exist:R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =R3 - Default URLSearchHook is missingO3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dllO4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exeO4 - HKLM\..\Run: [7405c5df] rundll32.exe "C:\WINDOWS\system32\tcrrjsdm.dll",bO4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exeO21 - SSODL: okmdepgb - {8E5F73BF-6D5D-4713-BCE9-CED3018182B0} - C:\WINDOWS\okmdepgb.dllO21 - SSODL: axrfgvek - {2503A820-0A9C-4265-B76D-85C6E57363F2} - C:\WINDOWS\axrfgvek.dllO21 - SSODL: CheckVoid - {bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} - C:\WINDOWS\Resources\CheckVoid.dllClose all windows now except for the hijackthis application's window, then click the Fix Checked button. Reboot again to properly record the changes made to the hard disk.Finally paste the contents of the Report.txt back here along with your rapport.txt documents from the smitraudfix utility and a fresh HijackThis log. Link to post Share on other sites More sharing options...
Caz Posted July 10, 2008 Author ID:22446 Share Posted July 10, 2008 If we log into my daughters laptop on her account, as main user, we can connect to the net but sites take ages to load, then tend to "hang" so no further loading happens, hence why I had to log into it using Admin, and in safe mode with networking, was only way to get the programmes to d/l.It may take me a few days to follow your instructions 1972vet, since I'm starting two nightshifts tonight, so may not get round to this till Saturday afternoon. I did check add/remove programmes for Antivirus2008Pro ....... it wasn't there ..... but I shall definitely have a further check when I boot it up next. Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22699 Share Posted July 13, 2008 Ok i have my logs all ready to post, but for some weird reason it won't let me :S Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22700 Share Posted July 13, 2008 It's telling me I do not have permission to access this document - how odd Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22701 Share Posted July 13, 2008 SDFix: Version 1.204 Run by Dell on 13/07/2008 at 12:28 PMMicrosoft Windows XP [Version 5.1.2600]Running From: C:\SDFixChecking Services :Restoring Default Security ValuesRestoring Default Hosts FileRebootingChecking Files : No Trojan Files FoundRemoving Temp FilesADS Check : Final Check :catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-07-13 12:42:43Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...scanning hidden services & system hive ...[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]"p0"="C:\Program Files\DAEMON Tools\""h0"=dword:00000000"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,.."khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c616958e][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]"p0"="C:\Program Files\DAEMON Tools\""h0"=dword:00000000"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,.."khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c616958e][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]"s1"=dword:2df9c43f"s2"=dword:110480d0"h0"=dword:00000001[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]"p0"="C:\Program Files\DAEMON Tools\""h0"=dword:00000000"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,.."khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0010c616958e][HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]"p0"="C:\Program Files\DAEMON Tools\""h0"=dword:00000000"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,.."khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..scanning hidden registry entries ...scanning hidden files ...scan completed successfullyhidden processes: 0hidden services: 0hidden files: 0Remaining Services :Authorized Application Key Export:[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019""%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000""C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1""C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)""C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger""C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire""C:\\WINDOWS\\system32\\lxcfcoms.exe"="C:\\WINDOWS\\system32\\lxcfcoms.exe:*:Enabled:730 Series Server""C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe:*:Enabled:730 Series Printer Status""C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled: Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22703 Share Posted July 13, 2008 rapport.txt_Smitfraud.txt rapport.txt_Smitfraud.txt Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22704 Share Posted July 13, 2008 rapport.txt_Smitfraud_txt_pt2.txt rapport.txt_Smitfraud_txt_pt2.txt Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22705 Share Posted July 13, 2008 SmitFraudFix v2.329Scan done at 19:01:23.06, 11/07/2008Run from C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\02W0SBON\SmitfraudFix[1]\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode Link to post Share on other sites More sharing options...
Caz Posted July 13, 2008 Author ID:22706 Share Posted July 13, 2008 Only log still to post is the HJT Log, and for some reason, perhaps files were too big to post, I had to do it the upload way, tried doing HJT Log that way also, but it wouldn't let me - oh boy am I having fun. Will try in a while to get the HJT Log posted, maybe I shall have to zip it and do it that way. Link to post Share on other sites More sharing options...
Caz Posted July 14, 2008 Author ID:22751 Share Posted July 14, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:54:33 AM, on 14/07/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Dell\Bluetooth Software\bin\btwdins.exeC:\Program Files\Common Files\Symantec Shared\ccSvcHst.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\1XConfig.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Winamp\winampa.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\Program Files\Apoint\Apntex.exeC:\WINDOWS\PixArt\PAC207\Monitor.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Messenger\Msmsgs.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Stardock\ObjectDock\ObjectDock.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\iPod\bin\iPodService.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dllO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exeO4 - Global Startup: BTTray.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
Caz Posted July 14, 2008 Author ID:22752 Share Posted July 14, 2008 All done, at last, I still need to take off Java, and also get rid of Symantec Stuff, but will wait until you have had a look at all the logs.Thanks for the help so far Link to post Share on other sites More sharing options...
1972vet Posted July 14, 2008 ID:22755 Share Posted July 14, 2008 I'm a bit confused with the information that you posted. You said yesterday in post #6 that you had all your logs and were ready to post but that you were having problems. Then, today you posted the logs but the date of the scan for sdfix for example, is today's date. Did you edit that log? The reason I ask is because there were a few trojan files in your log that sdfix specifically targets. There's no chance that it would have missed them yet the log you posted shows that sdfix found nothing. Nevertheless, all the malware entries are removed. Please finish up with the removal of the outdated java and your Symantec stuff then post another fresh HijackThis log. Also, advise how the system performs now. Thanks! Link to post Share on other sites More sharing options...
Caz Posted July 14, 2008 Author ID:22800 Share Posted July 14, 2008 I can see why you are confused, I am also confused as it's saying this scan was done on Friday 11th:SmitFraudFix v2.329Scan done at 19:01:23.06, 11/07/2008when I was actually in work at that time.Would you like me to rescan once I have taken off Java and the Symantec stuff?(Using my own system at the moment) - system on the laptop seems to be performing okay, slow to load up but then again, I think this is a problem with all laptops is it not? Only other thing that appears to have gone awol somewhere is the list in the System Tools i.e., no sign of defragging option although I am not 100% sure they were there previously.Will sort out Java removal and symantec removal very shortly and post another HJT Log. Link to post Share on other sites More sharing options...
1972vet Posted July 15, 2008 ID:22831 Share Posted July 15, 2008 ...the log you posted shows that sdfix found nothing. Nevertheless, all the malware entries are removed.That is what confuses me. It's not possible your log would be cleaned up when the scans showed that nothing was found. In the log there were several trojans that SDFix specifically targets, as well there was a smitfraud file that the SmitFraudFix utility also specifically targets...mysteriously though, they've disappeared with no trace of their findings from any of the logs you posted...they're just gone, but at least they're gone.Nonetheless, since your last log looks clean I would like to see another log after you've removed Symantec and updated your java. Thanks! Link to post Share on other sites More sharing options...
Caz Posted July 15, 2008 Author ID:22846 Share Posted July 15, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:33:36 AM, on 15/07/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\system32\1XConfig.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Dell\Bluetooth Software\bin\btwdins.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Winamp\winampa.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\PixArt\PAC207\Monitor.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Messenger\Msmsgs.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Stardock\ObjectDock\ObjectDock.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\WINDOWS\system32\msiexec.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exeO4 - Global Startup: BTTray.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions presentO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
1972vet Posted July 15, 2008 ID:22860 Share Posted July 15, 2008 Your log shows that Symantec is still installed...there's more than "just one thing" that remains. You can use their removal tool. More on that in just a bit...The two entries below both first appeared only after you somehow removed all of the malware entries from the original instructions:O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present...That "O2" entry is valid. It represents the Windows Live Call HoverToCall feature in Windows Live Messenger but it's file has been remove. You could remove that entry using HijackThis but I would hesitate to advise that unless you have no intention of using the Live Messenger anymore.That "O6" entry is interesting. I see no evidence of Spybot Search and Destroy which is usually the reason for that entry. Have you used some kind of "Administrative" locking feature? If not, you can run HijackThis again and check/fix that entry.As for your assertion that the malware entries were not present in any of the logs from the utility scans I recommended, please understand that what is suggested by those logs is not possible:Below is a SmitFraud File that appeared in your original log:O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dllBelow is the Trojan-Downloader.Win32.Agent.keu. This also appeared in the original log and it is specifically targeted by SDFix:O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exeBelow is another trojan that appeared in your original log and it too is specifically targeted by SDFix:O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe...and as we all can see, none of those I recommended that you remove are still present in the last HijackThis log posted.I'm still confused......I'll bet lol...this stuff is tricky sometimes huh?just had quick reread of the instructions regarding the smitfraud bit....especially the part where it said running this on an uninfected system will remove your desktop picture or something like that - it did remove the desktop background, but i'm not complaining, if the trojans or whatever were picked up it's all to the good :-)The warning is to advise that the desktop background is removed...whether the system is infected or not, the background is removed. It's purpose is to discourage a user from just downloading and running the SmitFraudFix utility in a willy-nilly fashion...thus an uninfected user will have been saved the heartburn.Do you want me to to another scan with the SDFix? If so I shall do this tomorrow night, and there's just one thing from symantec that is refusing to go grrrrr.Since the last log you posted shows no evidence of the malware there would be no reason to run the SDFix utility again.You can download the Symantec Removal Tool to remove a failed install/uninstall or damaged product. Post back a fresh HijackThis log when completed. Please advise how the system performs now. Thanks! Link to post Share on other sites More sharing options...
Caz Posted July 16, 2008 Author ID:22957 Share Posted July 16, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:30:49 AM, on 16/07/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\S24EvMon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exeC:\WINDOWS\system32\ZCfgSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\1XConfig.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Dell\Bluetooth Software\bin\btwdins.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\Dell\QuickSet\NICCONFIGSVC.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\RegSrvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\system32\SearchIndexer.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeC:\Program Files\Dell\QuickSet\quickset.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Apoint\Apoint.exeC:\Program Files\Winamp\winampa.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\WINDOWS\PixArt\PAC207\Monitor.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\Program Files\Apoint\HidFind.exeC:\Program Files\Apoint\Apntex.exeC:\Program Files\iTunes\iTunesHelper.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\DAEMON Tools\daemon.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\Messenger\Msmsgs.exeC:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeC:\Program Files\Stardock\ObjectDock\ObjectDock.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\HP\Digital Imaging\bin\hpqimzone.exeC:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exeO4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exeO4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exeO4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exeO4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottimeO4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /minO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeO4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /backgroundO4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exeO4 - Global Startup: BTTray.lnk = ?O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exeO4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exeO4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htmO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO23 - Service: Avira AntiVir Personal Link to post Share on other sites More sharing options...
Caz Posted July 16, 2008 Author ID:22959 Share Posted July 16, 2008 Blah, I'm tired, forgot to add that system seems to be running fine, no alerts or anything although still slow on loadup, but that could be due to age of laptop, plus amount of stuff she has on it i.e., her entire music collection I think Will check in tomorrow for any further instructions. Heartfelt thanks for your help, looks like we gone from a laptop that was about to be thrown out to one that is working again Link to post Share on other sites More sharing options...
1972vet Posted July 16, 2008 ID:22972 Share Posted July 16, 2008 I'm wondering if the trojans that showed up in the log were picked up by Avira, The trojans that I instructed you to remove appeared in the original log. You didn't have Avira installed then....as I downloaded that after I posted the logs. Would this cause them not to be there? I remember Avira beeping and me denying access to several trojan alerts.Let's not continue confusing the masses. The trojans were in your original log. The instructions were to download and run SDFix and SmitFraudFix, both targeting the problem files specifically. Upon posting the logs after running those tools, their respective logs showed absolutely no findings just as they would if your system were not infected...nonetheless, the malware entries were absent from the hijackthis log. Avira also first appeared in that same HijackThis log. The way Avira would have handled an alert from ANY of those trojans you had would not have happened the way you described. It would not just have beeped and asked you for access...that description sounds more like how a firewall would behave. Besides all that, if you DID download Avira AFTER you posted those logs it would not have found the malware since THOSE LOGS showed proof that the malware had already been removed. ...If however, you heard Avira beep at you after you posted those logs, what it undoubtedly found would have been the files that the two utilities had arrested from the scans I instructed you to run. This however would not have caused the logs from those scans to show no findings. The only reason for that would be one of these two possibilities:1) You scanned twice with each utility and posted the logs from the second scan which of course, would show nothing since the first scan would have removed the malware2) You purposely edited the scan logsBeyond that, I haven't a clue what else could possibly have happened on your end since it seems feasible that other family members may have gotten to that laptop between posts. Regardless, the tale has a happy ending. Your logs look clean, and I'm very happy to have been some help...now, off to help someone else.You can download the latest Java version Here.Delete these:SmitFraudFixSDFixNow that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.To assist in the prevention of spyware infections:Immunize your browser by installing Spywareblaster. What does it do? Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restricts the actions of potentially unwanted sites in Internet Explorer.Keep your anti-virus and spyware definitions up to date. Be sure to scan often.Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.You should always have at least (but not more than ) one of these types of third party firewalls running on board:Kerio Personal FirewallZone AlarmOutpost FreeComodoInstall the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.So how did I get infected in the first place?Regards, and Happy Surfing! Link to post Share on other sites More sharing options...
JeanInMontana Posted July 16, 2008 ID:23003 Share Posted July 16, 2008 Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Link to post Share on other sites More sharing options...
Recommended Posts