Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

virus take over... can't open S&D, hijack, avg, etc...

Started by AE77surfer , Oct 22 2008 09:39 AM

Please log in to reply

#16
kahdah

Posted 27 October 2008 - 08:26 PM

GeekU Teacher

Retired Staff
15,822 posts

Hmm I can see from your previous logs that you already have Sp3 installed.

See if doing a system restore to the last working date before this happened.
It may restore those functions back.

Here are instructions if you do not know how:

http://support.microsoft.com/kb/306084

#17
AE77surfer

Posted 27 October 2008 - 08:27 PM

Member

Topic Starter
Member
47 posts

i tried the only restore point is from earlier today

#18
kahdah

Posted 27 October 2008 - 08:37 PM

GeekU Teacher

Retired Staff
15,822 posts

I will need a bit of time for the other issue in the meantime please do the following:

Download GMER from Here :
Unzip it to the desktop.

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

#19
AE77surfer

Posted 27 October 2008 - 09:23 PM

Member

Topic Starter
Member
47 posts

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-10-27 23:22:21
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF84BE0B0]
SSDT sptd.sys ZwEnumerateKey [0xF84C3A92]
SSDT sptd.sys ZwEnumerateValueKey [0xF84C3E20]
SSDT sptd.sys ZwOpenKey [0xF84BE090]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess [0xF8C8A8AC]
SSDT sptd.sys ZwQueryKey [0xF84C3EF8]
SSDT sptd.sys ZwQueryValueKey [0xF84C3D78]
SSDT sptd.sys ZwSetValueKey [0xF84C3F8A]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xF8C8A812]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F81868AC 5 Bytes JMP 83176568
? System32\Drivers\aljrjanm.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F84D297E] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F84D292A] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84EDB4E] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F84D297E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F84BEAB4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F84BEBFA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84BEB7C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84BF728] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84BF5FE] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84D1C5A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 833D31E8
Device \FileSystem\Fastfat \FatCdrom 825411E8
Device \FileSystem\Udfs \UdfsCdRom 82FEA980
Device \FileSystem\Udfs \UdfsDisk 82FEA980
Device \Driver\NetBT \Device\NetBT_Tcpip_{385D0096-110C-4A30-ADB7-56097151D362} 82590490
Device \Driver\usbuhci \Device\USBPDO-0 83156980
Device \Driver\usbuhci \Device\USBPDO-1 83156980
Device \Driver\usbuhci \Device\USBPDO-2 83156980
Device \Driver\usbuhci \Device\USBPDO-3 83156980
Device \Driver\usbehci \Device\USBPDO-4 831771E8
Device \Driver\Ftdisk \Device\HarddiskVolume1 833611E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 833611E8
Device \Driver\sysaudio \Device\sysaudio ED7840F7
Device \Driver\Cdrom \Device\CdRom0 830B91E8
Device \Driver\Cdrom \Device\CdRom1 830B91E8
Device \Driver\Ftdisk \Device\HarddiskVolume3 833611E8
Device \Driver\Cdrom \Device\CdRom2 830B91E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 82590490
Device \Driver\NetBT \Device\NetbiosSmb 82590490
Device \Driver\PCI_NTPNP3820 \Device\0000005a sptd.sys
Device \Driver\USBSTOR \Device\00000089 825B21E8
Device \Driver\usbuhci \Device\USBFDO-0 83156980
Device \Driver\usbuhci \Device\USBFDO-1 83156980
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 825801E8
Device \Driver\usbuhci \Device\USBFDO-2 83156980
Device \FileSystem\MRxSmb \Device\LanmanRedirector 825801E8
Device \Driver\usbuhci \Device\USBFDO-3 83156980
Device \Driver\usbehci \Device\USBFDO-4 831771E8
Device \Driver\Ftdisk \Device\FtControl 833611E8
Device \Driver\USBSTOR \Device\0000008b 825B21E8
Device \Driver\aljrjanm \Device\Scsi\aljrjanm1 830AB980
Device \Driver\aljrjanm \Device\Scsi\aljrjanm1Port2Path0Target0Lun0 830AB980
Device \FileSystem\Fastfat \Fat 825411E8

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs 82FDD1E8
Device \FileSystem\Cdfs \Cdfs ED7A5BCE

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x5C 0x26 0x13 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0xC9 0x45 0xA9 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x10 0xB1 0xDC 0xFD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x15 0xF2 0x38 0x7F ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9C 0x06 0xD7 0xA3 ...
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv@imagepath \systemroot\system32\drivers\TDSSpxfe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@TDSSserv \systemroot\system32\drivers\TDSSpxfe.sys
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@TDSSl \systemroot\system32\TDSSoitu.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssservers \systemroot\system32\TDSSmtpe.dat
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssmain \systemroot\system32\TDSSarxx.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdsslog \systemroot\system32\TDSSyoqm.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssadw \systemroot\system32\TDSSnpur.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssinit \systemroot\system32\TDSSdxgp.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssurls \systemroot\system32\TDSSnmxh.log
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdsspanels \systemroot\system32\TDSSsahc.dll
Reg HKLM\SYSTEM\ControlSet001\Services\TDSSserv\modules@tdssserf \systemroot\system32\TDSSihyf.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -726238967
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1683118007
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x5C 0x26 0x13 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0xC9 0x45 0xA9 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA0 0x5D 0xE6 0x09 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x15 0xF2 0x38 0x7F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9C 0x06 0xD7 0xA3 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x5C 0x26 0x13 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0xC9 0x45 0xA9 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x10 0xB1 0xDC 0xFD ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x15 0xF2 0x38 0x7F ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9C 0x06 0xD7 0xA3 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA6 0x5C 0x26 0x13 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0xC9 0x45 0xA9 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA0 0x5D 0xE6 0x09 ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x15 0xF2 0x38 0x7F ...
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42
Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x9C 0x06 0xD7 0xA3 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32@ C:\WINDOWS\System32\MFC42u.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{558EC983-BEDB-9168-B2DE-31DBF0EE543E}\InprocServer32@InprocServer32 DlIn'Z~ac@OcUSWt[Di'NortonAntiVirus>=3&5,B^pf(V%eqFgkW_B?ClWaQ6XiR?P}Amov]r)1AnimationShop3_TryAndBuy>=3&5,B^pf(V%eqFgkW_B?sa'XjJ2^n?t(dx_CVLkfPaintShopPhotoAlbum>=%YAYRcuf(mdaqF-Q9q.?sa'XjJ2^n?t(dx_CVLkfPaintShopPhotoAlbum>=3&5,B^pf(V%eqFgkW_B?$cCq9dWpp8H]DsMG=54JDellAlert>=3&5,B^pf(V%eqFgkW_B?nnPl(}XP9?_,O3?,aFS^>=3&5,B^pf(V%eqFgkW_B?

---- EOF - GMER 1.0.14 ----

#20
kahdah

Posted 28 October 2008 - 04:10 AM

GeekU Teacher

Retired Staff
15,822 posts

Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

C:\WINDOWS\System32\Drivers\aljrjanm.SYS

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
=================
Backing Up Your Registry

Go Here and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
Make sure that at least the first two check boxes are ticked
Press OK
Press YES to create the folder.

====================================
Also try this for the other issues:

You must use regedt32.exe in Windows 2000/XP (as I have not seen this problem posted
for any other operating system). Be very carefull making changes in the regisrty!

You must be logged on as a local administrator to perform this task:

1. Go to "Start", "Run", and enter "regedt32"
2. Maximize the "HKEY_LOCAL_MACHINE" window.
3. Scroll down to "SYSTEM\CurrentControlSet\Enum"
4. With "Enum" selected click the "Security", "Permissions" menu.

Note: At this point you will probably notice there are no permissions on this key.

5. Click "Add".
6. Add the group "Everyone" and the user "SYSTEM".
7. Select "Everyone" and check "Read" ONLY!
8. Select "SYSTEM" and check "Full Control".
9. Click the "Advanced" button at the bottom of the window.
10. On the Advanced window check "Reset permissions on all child objects..."
11. Click "OK"
12. On the warning window click "Yes"
13. Close REGEDT32

You should now be able to see everything in Device Manager, Network Places Properties,
and Printers.

#21
AE77surfer

Posted 28 October 2008 - 06:17 PM

Member

Topic Starter
Member
47 posts

ok, a few things... i can't get on the internet so i cant run that file through those scanners. im pretty much working with a laptop and a flash memory card, so any scanner has to be downloadable. i downloaded and ran erunt as you specified. lastly i ran regedit, i couldnt find the security link you mention but i right clicked it and found permissions but it already had everyone and system in the window. i got rid of them and created new ones and did everything you said except i also couldnt find "reset permissions on all child objets... there was one that mentioned child locks but not word for word as you said, so i clicked it anyway. anyway i reset the computer and everything is the same. still no network connections, no device manager, and no internet.

#22
AE77surfer

Posted 28 October 2008 - 07:07 PM

Member

Topic Starter
Member
47 posts

ok quick but big update, i went into msconfig and selected normal start up as opposed to selective start up and my most of my problems are fixed, except now my computer is terribly slow because of how many programs loaded at startup. also tried to send that file again, but i dont think it is on my computer any more, or at least not where you said it was... heres a new hijack log, let me know what you think.... Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:31 PM, on 10/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iTunesHelper.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\WiFiConnector\NintendoWFCReg.exe
C:\Documents and Settings\DREW\Desktop\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\WebUpdater.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Lynda\Desktop\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157903837077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10120 bytes

#23
kahdah

Posted 29 October 2008 - 04:03 AM

GeekU Teacher

Retired Staff
15,822 posts

These are all optional fixes only provided for you to speed up your computer.
Except for this entry:It needs to be fixed.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CtxfiReg] CTXFIREG.exe /FAIL1
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: iWin Desktop Alerts.lnk = C:\Documents and Settings\All Users\Application Data\iWin Games\DesktopAlerts\WebUpdater.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Documents and Settings\Lynda\Desktop\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Now click on Fix Checked and then close Hijackthis.
=====================================================
Also please uninstall AVG ANtispyware as well.

Then try the kaspersky scan again and post that log.

#24
AE77surfer

Posted 31 October 2008 - 10:27 AM

Member

Topic Starter
Member
47 posts

sorry, took me 6-7 tries to finally get a scan to finish....

Friday, October 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 31, 2008 11:19:49
Records in database: 1363914

Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan statistics
Files scanned 123735
Threat name 31
Infected objects 81
Suspicious objects 0
Duration of the scan 02:20:36

File name Threat name Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880000.VBN Infected: Backdoor.Win32.Agent.tlr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880001.VBN Infected: Backdoor.Win32.Agent.tlr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880002.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880003.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880004.VBN Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880005.VBN Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880006.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880007.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880008.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880009.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0188000A.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ca 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0188000B.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ca 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0188000C.VBN Infected: Backdoor.Win32.Agent.tlr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0188000F.VBN Infected: Trojan.Win32.VB.fxb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880010.VBN Infected: Trojan.Win32.VB.fxb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880011.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880012.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880013.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01880014.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01CC0001.VBN Infected: Backdoor.Win32.Agent.tlr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01D00003.VBN Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01D00004.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01D00005.VBN Infected: Trojan-Downloader.Win32.FraudLoad.vbxt 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01D00006.VBN Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01D00007.VBN Infected: Trojan.Win32.Buzus.abmc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01D80000.VBN Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0000.VBN Infected: Trojan.Win32.Buzus.abmc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0001.VBN Infected: Trojan.Win32.Buzus.abmc 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0002.VBN Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0003.VBN Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0006.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0007.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC000A.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC000B.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC000C.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC000D.VBN Infected: Backdoor.Win32.Small.gjm 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC000E.VBN Infected: Backdoor.Win32.Agent.tlr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC000F.VBN Infected: Backdoor.Win32.Agent.tlr 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0010.VBN Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0011.VBN Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.az 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0012.VBN Infected: Backdoor.Win32.TDSS.aso 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0012.VBN Infected: Trojan-Clicker.Win32.Agent.bvz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0012.VBN Infected: Backdoor.Win32.TDSS.asz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0012.VBN Infected: Backdoor.Win32.TDSS.atb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0013.VBN Infected: Backdoor.Win32.TDSS.aso 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0013.VBN Infected: Trojan-Clicker.Win32.Agent.bvz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0013.VBN Infected: Backdoor.Win32.TDSS.asz 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01EC0013.VBN Infected: Backdoor.Win32.TDSS.atb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05B00004.VBN Infected: Trojan.Win32.Agent.lom 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05B00009.VBN Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06600000.VBN Infected: Trojan-Downloader.JS.Agent.cd 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06640000.VBN Infected: Exploit.HTML.VML.d 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06740000.VBN Infected: Trojan-Downloader.JS.Agent.cd 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\068C0000.VBN Infected: Exploit.JS.XMLCore.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80005.VBN Infected: not-a-virus:AdWare.Win32.ZenoSearch.ca 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80006.VBN Infected: Trojan.Win32.VB.fxb 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80007.VBN Infected: not-a-virus:NetTool.Win32.Agent.ay 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C80008.VBN Infected: Trojan.Win32.Agent.aiim 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07DC0004.VBN Infected: Trojan-Downloader.Win32.VB.hzp 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00000.VBN Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07E00001.VBN Infected: Backdoor.Win32.UltimateDefender.a 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08C40001.VBN Infected: P2P-Worm.Win32.VB.dw 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D00000.VBN Infected: Trojan.Win32.Agent.aiim 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B580000.VBN Infected: Trojan-Downloader.JS.IstBar.k 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BF40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd 1

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DFC0000.VBN Infected: P2P-Worm.Win32.VB.dw 1

C:\Documents and Settings\DREW\.housecall6.6\Quarantine\Binaries1.cab2.bac_a00208 Infected: Trojan.Win32.FraudPack.gfc 1

C:\Documents and Settings\DREW\.housecall6.6\Quarantine\Binaries2.cab3.bac_a00208 Infected: Trojan.Win32.Agent.akkh 1

C:\Documents and Settings\DREW\.housecall6.6\Quarantine\Binaries2.cab3.bac_a00208 Infected: not-a-virus:FraudTool.Win32.XPSecurityCenter.ba 1

C:\Documents and Settings\Lynda\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\OMG.class-27df7ee0-2f3c4f32.class Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\Documents and Settings\Lynda\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfge.class-53cc9798-30bb600a.class Infected: Trojan-Downloader.Java.OpenStream.y 1

C:\Qoobox\Quarantine\C\Program Files\XP_AntiSpyware\AVEngn.dll.vir Infected: Trojan.Win32.Agent.akkh 1

C:\Qoobox\Quarantine\C\Program Files\XP_AntiSpyware\XP_AntiSpyware.exe.vir Infected: Trojan.Win32.FraudPack.gfc 1

C:\Qoobox\Quarantine\C\WINDOWS\Q2xpZmZvcmQgTWFydGlu\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1

C:\Qoobox\Quarantine\C\WINDOWS\Q2xpZmZvcmQgTWFydGlu\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\dwwnw64r.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\mco2\ADI5MDi2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nys3\iPU560I.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.f 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\nys3\iPU560I.exe.vir Infected: not-a-virus:AdWare.Win32.WebHancer.390 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rlwnw64o.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1

C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\WS\WIE45V15.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1

The selected area was scanned.

#25
kahdah

Posted 31 October 2008 - 08:29 PM

GeekU Teacher

Retired Staff
15,822 posts

Very good let's see one more Hijackthis log and let me know of any remaining problems.

#26
AE77surfer

Posted 01 November 2008 - 01:35 AM

Member

Topic Starter
Member
47 posts

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:38 AM, on 11/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DREW\Desktop\hijack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: NETGEAR WG111v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.a...ad/tgctlins.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....030/CTSUEng.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.co...ll/gtdownlr.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1157903837077
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn...ro.cab56649.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.va...OCX/FlashAX.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15030/CTPID.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6890 bytes

everything seems back to normal... and as long as im clean im happy, so thanks

#27
kahdah

Posted 01 November 2008 - 08:04 AM

GeekU Teacher

Retired Staff
15,822 posts

Cleanup:

Please download OT CLeanit from Here save it to your desktop.
Double click on OT Clean it to run it.
Then click on Clean up.
Restart your computer when prompted.
This will remove what tools we used.
======================
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingc...143.html#manual
=====================================
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.