Jump to content

antivirusPro2008


Recommended Posts

Ok, ran daughters laptop as Admin, in safe mode, managed to d/l anti-malware prog from here,

Log of the quick scan follows:

Malwarebytes' Anti-Malware 1.20

Database version: 935

Windows 5.1.2600 Service Pack 2

3:00:04 PM 10/07/2008

mbam-log-7-10-2008 (14-59-59).txt

Scan type: Quick Scan

Objects scanned: 49250

Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 2

Registry Keys Infected: 34

Registry Values Infected: 8

Registry Data Items Infected: 3

Malwarebytes' Anti-Malware 1.20

Database version: 935

Windows 5.1.2600 Service Pack 2

3:29:14 PM 10/07/2008

mbam-log-7-10-2008 (15-29-14).txt

Scan type: Quick Scan

Objects scanned: 49250

Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 2

Registry Keys Infected: 34

Registry Values Infected: 8

Registry Data Items Infected: 3

Folders Infected: 12

Files Infected: 50

Memory Processes Infected:

C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\efcCvUlm.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\geBtTKCr.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3d67649d-4e34-4e6b-8d8f-b2258c88ee8a} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{3d67649d-4e34-4e6b-8d8f-b2258c88ee8a} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{3ba3028f-fd37-46bf-ad27-733734684f06} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ba3028f-fd37-46bf-ad27-733734684f06} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gebttkcr (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\f406.f406mgr (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\f406.f406mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{1b12f639-cba9-45dd-89fe-9fa7d4340716} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1b12f639-cba9-45dd-89fe-9fa7d4340716} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7c4bcd17-bdba-4078-9d8c-8ca8b7eabe77} (Rogue.Multiple) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{101900f3-7aeb-4e3b-b4cc-dcb483b3b92f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{9c7e91a9-0001-4c4e-bcc2-a56bc8329049} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{a59c4135-df7a-4666-8129-478376867b3c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8663655c-f6d4-4520-859e-67008902a889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8663655c-f6d4-4520-859e-67008902a889} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Interface\{f70c9bf7-63da-40cc-a57c-b874b07259e0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\Typelib\{7f62b052-bbd3-476f-a8d5-aea51d86367a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{80123684-a222-4009-8220-a867294d6de8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\antivirus 2008 pro (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} (Trojan.Clicker) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{847bbd3d-f172-4601-8968-4c0e2cf4ec2e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{8e5f73bf-6d5d-4713-bce9-ced3018182b0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{f684ef8d-6ff8-4eec-8984-a2f6fa2d9eda} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2503a820-0a9c-4265-b76d-85c6e57363f2} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{71ddc372-b232-4855-a11a-ccc601f6c372} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\nqgpedlr.bxod (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\nqgpedlr.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7405c5df (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{3ba3028f-fd37-46bf-ad27-733734684f06} (Trojan.Vundo) -> Delete on reboot.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{80123684-a222-4009-8220-a867294d6de8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\checkvoid (Trojan.Clicker) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antiviirus (Trojan.Downloader) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\okmdepgb (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\axrfgvek (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccvulm -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccvulm -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55274-640-8365391-23951) -> Quarantined and deleted successfully.

Folders Infected:

C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\778670 (Trojan.BHO) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:

C:\WINDOWS\system32\efcCvUlm.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\mlUvCcfe.ini (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\mlUvCcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tcrrjsdm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\mdsjrrct.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\geBtTKCr.dll (Trojan.Vundo) -> Delete on reboot.

C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\778670\778670.dll (Trojan.BHO) -> Quarantined and deleted successfully.

C:\WINDOWS\kgqfweltmrg.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\nqgpedlr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\esrp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\khfGaaWo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\dssec.exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\lprn32.exe (Trojan.DownLoader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\02W0SBON\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\1Z0MAXMT\1215385821[1].exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\1Z0MAXMT\226[1].exe (Trojan.DownLoader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\1Z0MAXMT\Antivirus2008PRO[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\DCJX9BC3\Install_226_-1_[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\FBTZOKWE\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\winspywareprotect.exe (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\BASE\vbase.dat (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080708011521290.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709001331630.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709005015273.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080709010639612.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710130402654.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\All Users\Application Data\ADSL Software Ltd\WinSpywareProtect\LOG\20080710133854702.log (Rogue.Multiple) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus) -> Quarantined and deleted successfully.

C:\WINDOWS\Resources\CheckVoid.dll (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Program Files\antiviirus.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Program Files\tmp0.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\tmp1.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Program Files\tmp2.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\okmdepgb.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\mrvtdpqe.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\axrfgvek.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Desktop\antivirus-2008pro.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Application Data\TmpRecentIcons\antivirus-2008pro.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dell\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.

Folders Infected: 12

Files Infected: 50

About to sort out HJT d/l so will add that log once done

I'm actually cringing here at the amount of infected files she has :-(

Link to post
Share on other sites

HJT Log:

Malwarebytes' Anti-Malware 1.20

Database version: 935

Windows 5.1.2600 Service Pack 2

3:00:04 PM 10/07/2008

mbam-log-7-10-2008 (14-59-59).txt

Scan type: Quick Scan

Objects scanned: 49250

Time elapsed: 8 minute(s), 24 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 2

Registry Keys Infected: 34

Registry Values Infected: 8

Registry Data Items Infected: 3

Folders Infected: 12

Files Infected: 50Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:11:00 PM, on 10/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Safe mode with network support

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\PROGRA~1\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

O4 - HKLM\..\Run: [7405c5df] rundll32.exe "C:\WINDOWS\system32\tcrrjsdm.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O21 - SSODL: okmdepgb - {8E5F73BF-6D5D-4713-BCE9-CED3018182B0} - C:\WINDOWS\okmdepgb.dll

O21 - SSODL: axrfgvek - {2503A820-0A9C-4265-B76D-85C6E57363F2} - C:\WINDOWS\axrfgvek.dll

O21 - SSODL: CheckVoid - {bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} - C:\WINDOWS\Resources\CheckVoid.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe

O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe

O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--

Link to post
Share on other sites

Let's try to uninstall a couple of the problems...Please click start-->Control Panel-->Add/Remove Programs. Scroll down the list to locate the program names:

Antivirus 2008 PRO

Java (jre1.6.0_02)

Click on each (one at a time) to highlight them, then click Remove. Reboot when finished uninstalling. When we are satisfied the system is cleaned, we can download the latest version of Java.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

I am going to give you two sets of instructions...both relating to the Smitfraud infection that you have. The first set of instructions will cause the tool that we will download, to find the bad files. The second set will allow the tool to delete the bad files it found.

With each set there is a log generated. It is important that you remember to post both logs in your next reply. You must perform these steps exactly as presented and cannot skip a step. The application will delete nothing unless you first allow it to find the bad files...which is why you must follow these instructions exactly as presented:

Set #1

Please download:

SmitfraudFix (by S!Ri)

Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd

Select option #1 - Search by typing 1 and press"Enter"; a text file will appear, which lists infected files (if present). Please remember to copy/paste the content of that report into your next reply.

Note :

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Set#2

Next, reboot the computer into Safemode.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press"Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into your Normal Windows user mode.

A text file will appear onscreen, with results from the cleaning process; please remember to copy/paste the content of that report into your next reply as well.

The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Next, please download SDFix and save it to your Desktop.

Double click SDFix.exe and the files will be extracted to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Reboot the computer into Safe mode again.

  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • Any Trojan Services and Registry Entries that it finds will be removed then you will be prompted to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open and a copy of the report will be saved in the SDFix folder as Report.txt
    (Report.txt will also be copied automatically to your Clipboard and ready for posting back in the forum).

Please run HijackThis again and check the box next to these entries that may still exist:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dll

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

O4 - HKLM\..\Run: [7405c5df] rundll32.exe "C:\WINDOWS\system32\tcrrjsdm.dll",b

O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

O21 - SSODL: okmdepgb - {8E5F73BF-6D5D-4713-BCE9-CED3018182B0} - C:\WINDOWS\okmdepgb.dll

O21 - SSODL: axrfgvek - {2503A820-0A9C-4265-B76D-85C6E57363F2} - C:\WINDOWS\axrfgvek.dll

O21 - SSODL: CheckVoid - {bd4d6c1d-a034-481a-bcb0-6cc434dac3c2} - C:\WINDOWS\Resources\CheckVoid.dll

Close all windows now except for the hijackthis application's window, then click the Fix Checked button. Reboot again to properly record the changes made to the hard disk.

Finally paste the contents of the Report.txt back here along with your rapport.txt documents from the smitraudfix utility and a fresh HijackThis log.

Link to post
Share on other sites

If we log into my daughters laptop on her account, as main user, we can connect to the net but sites take ages to load, then tend to "hang" so no further loading happens, hence why I had to log into it using Admin, and in safe mode with networking, was only way to get the programmes to d/l.

It may take me a few days to follow your instructions 1972vet, since I'm starting two nightshifts tonight, so may not get round to this till Saturday afternoon.

I did check add/remove programmes for Antivirus2008Pro ....... it wasn't there ..... but I shall definitely have a further check when I boot it up next.

Link to post
Share on other sites

SDFix: Version 1.204

Run by Dell on 13/07/2008 at 12:28 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-07-13 12:42:43

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,..

"khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0010c616958e]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,..

"khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c616958e]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]

"s1"=dword:2df9c43f

"s2"=dword:110480d0

"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,..

"khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0010c616958e]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]

"p0"="C:\Program Files\DAEMON Tools\"

"h0"=dword:00000000

"khjeh"=hex:7c,52,32,f4,16,3f,71,bd,30,70,e1,90,45,03,81,b0,5a,7c,da,1c,75,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]

"a0"=hex:20,01,00,00,6b,5d,80,50,c0,0e,30,ab,27,40,96,fe,6d,8c,cf,1f,bd,..

"khjeh"=hex:a3,77,86,be,6d,5b,8d,2b,71,bf,47,89,19,cb,04,66,cf,12,c1,f8,e7,..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]

"khjeh"=hex:64,a7,50,5d,12,58,6d,46,81,82,f6,e5,7f,d8,db,35,a2,97,bc,6a,9e,..

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"

"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

"C:\\Program Files\\Messenger\\Msmsgs.exe"="C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger"

"C:\\Program Files\\Xfire\\xfire.exe"="C:\\Program Files\\Xfire\\xfire.exe:*:Enabled:Xfire"

"C:\\WINDOWS\\system32\\lxcfcoms.exe"="C:\\WINDOWS\\system32\\lxcfcoms.exe:*:Enabled:730 Series Server"

"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxcfpswx.exe:*:Enabled:730 Series Printer Status"

"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:

Link to post
Share on other sites

SmitFraudFix v2.329

Scan done at 19:01:23.06, 11/07/2008

Run from C:\Documents and Settings\Dell\Local Settings\Temp\Temporary Internet Files\Content.IE5\02W0SBON\SmitfraudFix[1]\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

Link to post
Share on other sites

Only log still to post is the HJT Log, and for some reason, perhaps files were too big to post, I had to do it the upload way, tried doing HJT Log that way also, but it wouldn't let me - oh boy am I having fun. Will try in a while to get the HJT Log posted, maybe I shall have to zip it and do it that way.

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:54:33 AM, on 14/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

I'm a bit confused with the information that you posted. You said yesterday in post #6 that you had all your logs and were ready to post but that you were having problems. Then, today you posted the logs but the date of the scan for sdfix for example, is today's date. Did you edit that log? The reason I ask is because there were a few trojan files in your log that sdfix specifically targets. There's no chance that it would have missed them yet the log you posted shows that sdfix found nothing. Nevertheless, all the malware entries are removed.

Please finish up with the removal of the outdated java and your Symantec stuff then post another fresh HijackThis log. Also, advise how the system performs now. Thanks!

Link to post
Share on other sites

I can see why you are confused, I am also confused as it's saying this scan was done on Friday 11th:

SmitFraudFix v2.329

Scan done at 19:01:23.06, 11/07/2008

when I was actually in work at that time.

Would you like me to rescan once I have taken off Java and the Symantec stuff?

(Using my own system at the moment) - system on the laptop seems to be performing okay, slow to load up but then again, I think this is a problem with all laptops is it not? Only other thing that appears to have gone awol somewhere is the list in the System Tools i.e., no sign of defragging option although I am not 100% sure they were there previously.

Will sort out Java removal and symantec removal very shortly and post another HJT Log.

Link to post
Share on other sites

...the log you posted shows that sdfix found nothing. Nevertheless, all the malware entries are removed.

That is what confuses me. It's not possible your log would be cleaned up when the scans showed that nothing was found. In the log there were several trojans that SDFix specifically targets, as well there was a smitfraud file that the SmitFraudFix utility also specifically targets...mysteriously though, they've disappeared with no trace of their findings from any of the logs you posted...they're just gone, but at least they're gone.

Nonetheless, since your last log looks clean I would like to see another log after you've removed Symantec and updated your java. Thanks!

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:33:36 AM, on 15/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

Your log shows that Symantec is still installed...there's more than "just one thing" that remains. You can use their removal tool. More on that in just a bit...

The two entries below both first appeared only after you somehow removed all of the malware entries from the original instructions:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

...That "O2" entry is valid. It represents the Windows Live Call HoverToCall feature in Windows Live Messenger but it's file has been remove. You could remove that entry using HijackThis but I would hesitate to advise that unless you have no intention of using the Live Messenger anymore.

That "O6" entry is interesting. I see no evidence of Spybot Search and Destroy which is usually the reason for that entry. Have you used some kind of "Administrative" locking feature? If not, you can run HijackThis again and check/fix that entry.

As for your assertion that the malware entries were not present in any of the logs from the utility scans I recommended, please understand that what is suggested by those logs is not possible:

Below is a SmitFraud File that appeared in your original log:

O3 - Toolbar: nqgpedlr - {80123684-A222-4009-8220-A867294D6DE8} - C:\WINDOWS\nqgpedlr.dll

Below is the Trojan-Downloader.Win32.Agent.keu. This also appeared in the original log and it is specifically targeted by SDFix:

O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe

Below is another trojan that appeared in your original log and it too is specifically targeted by SDFix:

O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe

...and as we all can see, none of those I recommended that you remove are still present in the last HijackThis log posted.

I'm still confused......

I'll bet lol...this stuff is tricky sometimes huh?

just had quick reread of the instructions regarding the smitfraud bit....especially the part where it said running this on an uninfected system will remove your desktop picture or something like that - it did remove the desktop background, but i'm not complaining, if the trojans or whatever were picked up it's all to the good :-)

The warning is to advise that the desktop background is removed...whether the system is infected or not, the background is removed. It's purpose is to discourage a user from just downloading and running the SmitFraudFix utility in a willy-nilly fashion...thus an uninfected user will have been saved the heartburn.

Do you want me to to another scan with the SDFix? If so I shall do this tomorrow night, and there's just one thing from symantec that is refusing to go grrrrr.

Since the last log you posted shows no evidence of the malware there would be no reason to run the SDFix utility again.

You can download the Symantec Removal Tool to remove a failed install/uninstall or damaged product.

Post back a fresh HijackThis log when completed. Please advise how the system performs now. Thanks!

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:30:49 AM, on 16/07/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\1XConfig.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Dell\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

C:\Program Files\Dell\QuickSet\quickset.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Apoint\Apoint.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\PixArt\PAC207\Monitor.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Apoint\HidFind.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DAEMON Tools\daemon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\Msmsgs.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe

O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exe

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Monitor] C:\WINDOWS\PixArt\PAC207\Monitor.exe

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O4 - Global Startup: BTTray.lnk = ?

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Dell\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

Blah, I'm tired, forgot to add that system seems to be running fine, no alerts or anything although still slow on loadup, but that could be due to age of laptop, plus amount of stuff she has on it i.e., her entire music collection I think :)

Will check in tomorrow for any further instructions. Heartfelt thanks for your help, looks like we gone from a laptop that was about to be thrown out to one that is working again :(

Link to post
Share on other sites

I'm wondering if the trojans that showed up in the log were picked up by Avira,

The trojans that I instructed you to remove appeared in the original log. You didn't have Avira installed then.

...as I downloaded that after I posted the logs. Would this cause them not to be there? I remember Avira beeping and me denying access to several trojan alerts.

Let's not continue confusing the masses. The trojans were in your original log. The instructions were to download and run SDFix and SmitFraudFix, both targeting the problem files specifically. Upon posting the logs after running those tools, their respective logs showed absolutely no findings just as they would if your system were not infected...nonetheless, the malware entries were absent from the hijackthis log. Avira also first appeared in that same HijackThis log. The way Avira would have handled an alert from ANY of those trojans you had would not have happened the way you described. It would not just have beeped and asked you for access...that description sounds more like how a firewall would behave. Besides all that, if you DID download Avira AFTER you posted those logs it would not have found the malware since THOSE LOGS showed proof that the malware had already been removed.

...If however, you heard Avira beep at you after you posted those logs, what it undoubtedly found would have been the files that the two utilities had arrested from the scans I instructed you to run. This however would not have caused the logs from those scans to show no findings. The only reason for that would be one of these two possibilities:

1) You scanned twice with each utility and posted the logs from the second scan which of course, would show nothing since the first scan would have removed the malware

2) You purposely edited the scan logs

Beyond that, I haven't a clue what else could possibly have happened on your end since it seems feasible that other family members may have gotten to that laptop between posts. Regardless, the tale has a happy ending. Your logs look clean, and I'm very happy to have been some help...now, off to help someone else.

You can download the latest Java version Here.

Delete these:

SmitFraudFix

SDFix

Now that your system is clean and running the way you expect, let's create a new restore point you can refer to should the need arise at some point in the future.

Please click "Start->Programs->Accessories->System Tools->System Restore". In the new window, check the 'Create a restore point' in the right pane and click "Next". In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean) Click "Create" and reboot your computer.

To assist in the prevention of spyware infections:

Immunize your browser by installing Spywareblaster. What does it do?

  • Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.

  • Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.

  • Restricts the actions of potentially unwanted sites in Internet Explorer.

Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

Below you can choose from several of the freeware Firewalls available on the public domain. Even though you may have a Firewall already installed, keep this list handy should you choose not to renew your subscription for whatever reason.

You should always have at least (but not more than ) one of these types of third party firewalls running on board:

Kerio Personal Firewall

Zone Alarm

Outpost Free

Comodo

Install the free security tool "Secunia PSI" to help protect your system against software vulnerabilities. The free utility scans your system's software applications and offers a one button "Download "Solution" feature that updates the exploited software AND provides other related information/patching if warranted.

Stay updated with the most recent Windows patches as well...using Microsoft's Windows Update. Make it easy on yourself, and set this feature to Automatic.

Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox. If you don't already have "Firefox", please consider installing and using this browser for surfing.

If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

Run CCleaner often. The Yahoo Toolbar is included by default during the installation...if you DO NOT WANT IT, be sure to remove the check from the "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser" option during installation setup.

Or if you just want to run your on board Disk Cleanup ("Start--> Programs-->Accessories-->System Tools-->Disk Cleanup" ), just open the utility and check off the following:

Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files. Don't forget to defrag the system.

So how did I get infected in the first place?

Regards, and Happy Surfing!

Link to post
Share on other sites

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.