This malware is making me tear my hair out, please help me :(

[Dyleet]

Hi everyone. I'm kind of new to this message board/forum type of thing, so please bare with me, and forgive any false assumptions i make!

I've had a bit of trouble with malware recently, I think i acquired some particularly noxious stuff when i was searching for a serial/key for a piece of design software

Anyway, i have followed the Hijack This Log: Prepost instructions, i had a little bit of trouble when i got the AVG scanning, it got 3/4 of the way through the system scan and then the icons from my desktop and my taskbar disappeared (this is in safe mode like the instructions said to do) but the AVG window was open and still scanning, so i left it. Eventually my screensaver came on, and when i moved my mouse i was back to the desktop again, and the AVG window had vanished, and there were still no desktop icons or taskbar?!

I restarted my pc in safe mode again, to try and run the ATF cleaner (because that was the next thing on the list of things to do) but it wasn't on the desktop in safe mode, so i restarted in normal windows mode and ran it from there.

After ATF had done its thing, i opened AVG and activated the resident shield and automatic updates, and shortly afterwards, my pc started rattling away the same as when it's doing a system scan. I noticed that the "detected malware so far" was doubling every 10minutes or so. My Pc has stopped rattling now, but the detected malware has gone from 41 to 21,155 in about an hour. Should i be worried!?

I have windows XP pro (but I've recently been told by microsoft, that I'm a victim of software counterfeiting).

I'm a student, so I'll deal to that when i save up the funds!

I would greatly appreciate anyone's help on this, here is my first Hijack-This Log:

Logfile of HijackThis v1.99.1

Scan saved at 12:39:30 a.m., on 17/10/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe

C:\WINDOWS\system32\HotfixQ0306270.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\WgaTray.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe

O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\RunServices: [MCAFFE FLD LOADER] mcaffefld.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{056D6DE7-F21C-4C09-933C-E43079A0484E}: NameServer = 10.1.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{056D6DE7-F21C-4C09-933C-E43079A0484E}: NameServer = 10.1.1.1

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Microsoft IE - Unknown owner - C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\IEXPLORE.EXE" -netsvcs (file missing)

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[therock247uk]

Please make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://pchowtos.co.uk/index.php?page=tutor...=view&id=34

Open Hijackthis and click scan. Then check mark the following entries

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O4 - HKLM\..\RunServices: [MCAFFE FLD LOADER] mcaffefld.exe

Now close all open windows except Hijackthis and click fix checked

Reboot and Delete the files. (if present)

c:\windows\system32\mcaffefld.exe

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
  

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button
  
• If it wants to install an ActiveX component allow it
  
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  
• When download is complete, click on My Computer to start the scan
  
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
  

[Dyleet]

Thanks for the help thus far. I just did all of the above instructions. The Panda scan detected a few things, this is the log from that:

Incident Status Location

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies-27.txt[.winantivirus.com/]

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies-27.txt[.errorsafe.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies-27.txt[searchportal.information.com/]

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies-27.txt[.drivecleaner.com/]

Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies.txt[.winantivirus.com/]

Spyware:Cookie/ErrorSafe Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies.txt[.errorsafe.com/]

Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies.txt[searchportal.information.com/]

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\dylan\Application Data\Mozilla\Firefox\Profiles\aa8b5too.default\cookies.txt[.drivecleaner.com/]

Virus:Eicar.Mod Not disinfected C:\Program Files\PestPatrol\Help.chm[/HowCanITestDetection.html]

Virus:W32/Gaobot.AUS.worm Disinfected C:\WINDOWS\system32\TFTP584

Virus:Bck/Agent.CWB Disinfected C:\WINDOWS\system32\winuqw32.dll.mwt

[therock247uk]

Ok post a new Hijackthis log here in a reply.

[Dyleet]

ok, this is the log of the scan i did this morning.

Logfile of HijackThis v1.99.1

Scan saved at 10:41:13 a.m., on 21/10/2006

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Tablet.exe

C:\WINDOWS\System32\wdfmgr.exe

C:\WINDOWS\system32\ZoneLabs\vsmon.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE

C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe

C:\WINDOWS\system32\HotfixQ0306270.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\Microsoft Hardware\Keyboard\type32.exe

C:\Program Files\Google\Gmail Notifier\gnotify.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Spyware Doctor\swdoctor.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xtramsn.co.nz/home/

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O4 - HKLM\..\Run: [EPSON Stylus C83 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C83 Series" /O6 "USB001" /M "Stylus C83"

O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe

O4 - HKLM\..\Run: [Prolific_PLUtil] C:\Program Files\Prolific\USB Flash Disk Utility\PLBkMon.exe

O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [intelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"

O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{056D6DE7-F21C-4C09-933C-E43079A0484E}: NameServer = 10.1.1.1

O17 - HKLM\System\CS2\Services\Tcpip\..\{056D6DE7-F21C-4C09-933C-E43079A0484E}: NameServer = 10.1.1.1

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Microsoft IE - Unknown owner - C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\C:\WINDOWS\System32\IEXPLORE.EXE" -netsvcs (file missing)

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe