*** IMPORTANT *** - Must read before posting!

Discussion in 'Windows - Virus and spyware problems' started by Fredil, Jun 7, 2008.

  1. Fredil

    Fredil Regular member

    Joined:
    Jul 19, 2006
    Messages:
    390
    Likes Received:
    0
    Trophy Points:
    26
    A big thank you to LOCOENG for the sticky :)

    Please point out possible errors, improvements, typoes, etc. in replies to this thread. Thank you!

    Welcome to AfterDawn! If you're in this forum, chances are you have a malware problem and you need help. However, before you post, there are certain steps that we want you to follow to ensure that the cleaning of your computer is as easy and painless as possible :D Please read this post in its entirety before you proceed with doing anything.

    First and foremost: Every person on this forum is an actual human being, who has a life. The helpers are not automatons or robots that are always submitting to your every will. Things will go a lot smoother if you keep this in mind.

    Also, no matter how tempting it may seem, do not look at another user who has the same problem as you and follow the instructions provided to them. Chances are that you will not have the same problem and will need unique instructions.

    Do not make duplicate topics. These just confuse the people helping you and potentially waste energy for two or more people. You may bump if you haven't gotten a reply for one or two days.

    Finally, and very importantly, don't be afraid to ask questions! There are no stupid questions. If you don't understand something, it is better to ask first and delay things a small bit than do something wrong and make a potential mistake that could stop your system from ever booting again.

    Now that you've read the above (you did read it, right...), let's get started. Please follow these instructions in order, there is a reason that there is an order.

    Step One: Clean with ATF Cleaner

    This is purely a prepatory step to make your computer run faster and to get rid of a bit of possible malware.

    Please download ATF Cleaner and save it to your Desktop.
    This program is for XP and Windows 2000 only!! Do not use it if you are not using one of these operating systems.

    1. Double-click ATF-Cleaner.exe to run the program.
    2. Under Main choose: Select All
    3. Click the Empty Selected button
    4a. If you use FireFox: Click "FireFox" at the top and choose "Select All". Click the Empty Selected button.
    4b. If you use Opera: Click "Opera" at the top and choose "Select All". Click the Empty Selected button.

    If you would like to keep your saved passwords for FireFox or Opera, you should select "No" at the prompt.

    Step Two: Scan with Kapsersky WebSacanner

    This step is a malware detection step. It will identify much of the malware on your computer, but it will not remove it.

    Please do an online scan with Kaspersky WebScanner:

    Click on the link, then click Accept. You will be prompted to install an ActiveX Component from Kaspersky, click Yes.

    The program will launch and then begin downloading the latest definition files.

    Once the files have been downloaded click on Next, now click on Scan Settings, and n the scan settings make that the following are selected:

    - Scan using the following Anti-Virus database:
    --- Extended (if available otherwise Standard)
    - Scan Options:
    --- Scan Archives
    --- Scan Mail Bases

    Click OK.

    Now, under "Select a Target to Scan", select My Computer. The scanner will start to scan your system.
    The scan will take a while so be patient and let it run.
    Once the scan is complete it will display if your system has been infected.

    Now click on the Save as Text button, and save the file to your desktop. Copy this information into your first post.

    Step Three: Update Windows XP if necessary

    Update Windows --- Service Pack 1a

    First, follow this instruction on how to find out what Service Pack you have. If you have Service Pack 1a or Service Pack 2, follow the directions in the first paragraph; otherwise, follow the directions in the second.

    An unprotected and un-updated installation of Windows XP will get infected and re-infected time and time again, relatively quickly. Please click the "Update Windows" link above and follow the instructions to update your system.

    Important note: If you do not have any Service Packs installed on Windows XP, do not perform the above instruction. Instead, click the "Service Pack 1a" link. This is because, although Service Pack does have many great security updates, installing it onto a computer with certain malware will cause system conflicts and complicate things greatly. Only install Service Pack 2 after you are clean. You otherwise risk possibly unrecoverable complications.

    Step Four: Reboot your computer

    This step should be self-explanatory. Reboot your computer, and proceed with the next and final step.

    Step Five: HijackThis

    Once you have rebooted your computer, get back onto the forum and post a HijackThis log :)

    Click here to download the installer for HijackThis.
    Save HJTInstall.exe to your desktop.
    Doubleclick on the HJTInstall.exe icon on your desktop.
    By default it will install to C:\Program Files\Trend Micro\HijackThis .
    Click on Install.
    It will create a HijackThis icon on the desktop.
    Once installed, it will launch Hijackthis.
    Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    Post the contents of the HijackThis log in a new topic describing your problem.

    DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required for the smooth operation of your system.

    ====================================================================

    Please state somewhere in your first post that you have performed these steps.

    Finally, thank you for stopping by at AfterDawn!
     
    Last edited: Jun 24, 2008
  2. LOCOENG

    LOCOENG Moderator Staff Member

    Joined:
    Feb 4, 2005
    Messages:
    10,818
    Likes Received:
    4
    Trophy Points:
    118
    Very Nice...stickied.
     
  3. lynnjodi

    lynnjodi Member

    Joined:
    Nov 10, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    Sorry, I'm new and I didn't know where to put my post regarding this problem. I followed all the instructions on this message thread and found six infected files.

    http://forums.afterdawn.com/thread_view.cfm/671553

    Here's what it told me to put in my first post:

    --------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER 7 REPORT
    Monday, November 10, 2008
    Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Monday, November 10, 2008 15:42:52
    Records in database: 1378483
    --------------------------------------------------------------------------------

    Scan settings:
    Scan using the following database: extended
    Scan archives: yes
    Scan mail databases: yes

    Scan area - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan statistics:
    Files scanned: 77433
    Threat name: 5
    Infected objects: 6
    Suspicious objects: 0
    Duration of the scan: 01:17:51


    File name / Threat name / Threats count
    C:\Program Files\tinyproxy\tinyproxy.exe//PE_Patch.UPX//UPX/C:\Program Files\tinyproxy\tinyproxy.exe//PE_Patch.UPX//UPX Infected: Trojan-Proxy.Win32.Agent.bcw 1
    C:\Documents and Settings\Owner\Local Settings\Temp\buindexs.dll Infected: Trojan-GameThief.Win32.Nilage.dxg 1
    C:\Documents and Settings\Owner\Local Settings\Temp\SETUPow.dll Infected: Trojan-GameThief.Win32.OnLineGames.sksi 1
    C:\Documents and Settings\Owner\Local Settings\Temp\xptkksylgfile.dll Infected: Trojan-GameThief.Win32.OnLineGames.sjho 1
    C:\Program Files\tinyproxy\tinyproxy.exe Infected: Trojan-Proxy.Win32.Agent.bcw 1
    C:\WINDOWS\system32\mssjfilejf.dll Infected: Trojan-Spy.Win32.Cardspy.ao 1

    The selected area was scanned.

     
  4. lynnjodi

    lynnjodi Member

    Joined:
    Nov 10, 2008
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    11
    And here's what it told me to put in my second post:

    My home computer is not letting me create new e-mails, or reply or forward existing e-mails, from my work e-mail account.

    In addition, when I try to do a Google search and then click on a link, it routes me to an unfamiliar search engine (like findstuff.com) rather than to the page I clicked on.

    Here's my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:43:35 PM, on 11/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\WINDOWS\System32\ezSP_Px.exe
    C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe
    C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
    C:\Program Files\tinyproxy\tinyproxy.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\sony\usbsircs\usbsircs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://commcenter.mchsi.com/wmc/login
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9090
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
    N3 - Netscape 7: # Mozilla User Preferences
    // This is a generated file!

    user_pref("browser.activation.checkedNNFlag", true);
    user_pref("browser.bookmarks.added_static_root", true);
    user_pref("browser.history.last_page_visited", "http://google/");
    user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
    user_pref("browser.startup.homepage_override.mstone", "rv:1.0.2");
    user_pref("intl.charsetmenu.browser.cache", "UTF-8, ISO-8859-1");
    user_pref("prefs.converted-to-utf8", true);
    user_pref("signon.SignonFileName", "93714753.s");
    user_pref("timebomb.first_launch_time", "1093714180265000");
    user_pref("browser.helperApps.neverAsk.openFile", "application%2Fx-java-jnlp-file");
    (C:\Documents and Settings\OWNER\Application Data\Mozilla\Profiles\default\1j8usfda.slt\prefs.js)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
    O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
    O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust Anti-Spam\QSP-2.1.215.15\QOELoader.exe"
    O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVTray.exe"
    O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\CAVRID.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\CA\eTrust Internet Security Suite\eTrust Personal Firewall\ca.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [sysftray2] c:\windows\bolivar25.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - Global Startup: Remocon Driver.lnk = ?
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {413D6754-BFD4-47FE-9346-319559290BFA} (HTECtrl Class) - https://www.webpcfos.com/webpcfos/websabre/HTEweb_new.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\ISafe.exe
    O23 - Service: CAISafe (CAISafe) - Unknown owner - C:\Program Files\tinyproxy\tinyproxy.exe
    O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
    O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Giga Pocket\halsv.exe
    O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Giga Pocket\RM_SV.exe
    O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
    O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
    O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
    O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
    O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
    O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
    O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
    O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
    O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
    O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Internet Security Suite\eTrust EZ Antivirus\VetMsg.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 12283 bytes

     
  5. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi lynnjodi

    Now, please download ComboFix.
    With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.

    Please disable all security programs, such as antiviruses, antispywares, and firewalls.
    Also disable your internet connection.


    • Run Combo-Fix.exe and follow the prompts.
    **Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Do not click on the ComoboFix window, as it may cause it to stall.

    Post the log in a new thread, let's not crowd up this one.

    Best Regards :D
     
  6. adrelectr

    adrelectr Member

    Joined:
    Nov 18, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    Hi,
    Picked up the PChealth virus and followed the Hijackthis instructions.
    Note: I could not rename the file to scanner. I had to redownload and name the zip file only. Unzipped came out as Hijackthis still.
    I am getting a trojan warning when I start my computer and my fire wall will delete the trojan. I still have the generator of the trojan and have run a couple of virus/trojan softwares which only delete the trojan, not the source. I have tried to use system restore many times and I get;system not restored try another date.
    I have included the diag print out from Hijackthis. Help will be greatly appreciated.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:39:47 AM, on 11/18/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\brsvc01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\brss01a.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\system32\Brmfrmps.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
    C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
    C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
    C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
    C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    C:\Program Files\Brother\ControlCenter2\brctrcen.exe
    C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\DOCUME~1\Dad\LOCALS~1\Temp\Temporary Directory 1 for scanner.zip\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
    O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
    O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
    O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04a\BrStDvPt.exe
    O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
    O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: FLV Player
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: Status Monitor.lnk = C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
    O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
    O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
    O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/Web...n&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
    O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINDOWS\system32\Brmfrmps.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
    O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
    O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
    O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
    O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 7676 bytes
     
  7. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hi adrelectr

    Please follow these instructions and post your log in a new thread.

    Please download Malwarebytes Anti-Malware and install it. Follow the prompts and reboot if required.

    Launch Malwarebytes either by running C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe or double-click the Malwarebytes' Anti-Malware shortcut on your Desktop.

    Configuring Malwarebytes

    • Click on the tab Settings.
    • Make sure only these boxes are checked:
    Code:
    Terminate Internet Explorer
    Automatically save and display logfile after removal
    Always scan memory objects
    Always scan registry objects
    Always scan filesystem
    Always scan extra and heuristics objects
    Updating Malwarebytes

    • Click on the tab Update.
    • Press the button Check for Updates
    • Wait for Malwarebytes to be fully updated.

    Scanning Time

    • Click on the tab Scanner.
    • Check Perform full scan and click on Scan
    • Wait for the scan to complete, and then click on Show Results.
    • Make sure all items are checked, then click on Remove Selected.
    **If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If you are asked to restart the computer, please do so immediately.

    Post A Log

    • A text box will pop up after the removal process is over. Post the contents of the text here.
    • If no text box pops up, launch Malwarebytes, and click on the tab Logs.
    • The logs will appear as mbam-log-*date-*time.txt. Select the latest one, and then click on Open.
    Post the log here.

    Best Regards :D
     
  8. adrelectr

    adrelectr Member

    Joined:
    Nov 18, 2008
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    11
    Malwarebytes' Anti-Malware 1.30
    Database version: 1412
    Windows 5.1.2600 Service Pack 3

    11/19/2008 4:25:27 PM
    mbam-log-2008-11-19 (16-25-27).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 115812
    Time elapsed: 1 hour(s), 30 minute(s), 24 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 7
    Registry Values Infected: 0
    Registry Data Items Infected: 1
    Folders Infected: 2
    Files Infected: 7

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\CodecBHO.DLL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\codecbho.codecplugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\codecbho.codecplugin.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\codecbho.xmldomdocumenteventssink.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CLASSES_ROOT\CLSID\{35CEC8A3-2BE6-11D2-8773-92E220524153}\InprocServer32\ (Hijack.Tray) -> Bad: (C:\DOCUME~1\Dad\LOCALS~1\Temp\\shell32.dll) Good: (stobject.dll) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Program Files\Microsoft Security Adviser (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Program Files\RichVideoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\ddcCRlLB.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Dad\Local Settings\Temp\60325cahp25ca0.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Dad\Local Settings\Temp\TDSS625b.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Dad\Application Data\~tmp.html (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\TDSSerrors.log (Trojan.TDSS) -> Quarantined and deleted successfully.

    THANK YOU!
    .... no pop-up with the start now and the firewall deleting it after generation. Found 17 items that the other guys missed. I took awhile to run but it was worth it, boy talk about faster start-up and loading of programs. I will recommed you to everyone! Wish I knew about you the first time before I had to blow away my hard drive and start all over again. I couldn't get past the start screen.
     

Share This Page