Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Malware On Computer/emails And Helkern Worm


  • Please log in to reply
1 reply to this topic

#1 Liam162

Liam162

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:31 AM

Posted 30 April 2008 - 07:29 PM

Hello there,

I was recommended to come here via another forum. I have been infected with malware on my computer and possibly within my email account as well as it has been doing some strange things which are included in this post. I would like to tell you that a while ago I let BT twice know about an issue where I signed in to view email from the "mail icon" on the BT homepage and instead of seeing the "emails" page there was a notice that said "this is a phishing website" that Internet Explorer 7 said. I think it might be a pharming website as the BT home page downloaded again without me doing anything. It did this on bebo as well on the "videos" page - refeshed itself again this is and on my bebo page there was supposed to be 6 comments in a box but there were only 5 dispalyed and then a few months later it went up to 6. I'm thinking I might have picked up malware/spyware on there perhaps. I had a fake security check once flashed when I visited a website and when I clicked on the no thanks button - the windows installer box came up and I clicked on the cancel button but something might have got installed that day - I don't know properly. Around this time my firewall program "Zone Alarm" kept going off when I switched my computer on. They were supposed to have investigated this and I never heard anything about this apart from the "help person" that said they would pass it on. The 2nd time the help people suggested I install the BT dial-up software again but since then a notice keeps coming up when my computer loads to do with the BT Modem Lock and it says an alert:

"WARNING: Modem Lock component is not present or not digitally signed -
re - install dialler, system compromised"

My old firewall Zone Alarm program I think was hacked into by a worm through a junk email as the words that mentioned the "no. of programs secured" greyed out and then a few seconds later went right again. I installed the BT Yahoo dial- up software a few times more and this notice still kept coming up. I also installed Windows XP again as I thought there may be spyware and I had to download the BT software twice as it wouldn't do it the 1st time and the bt toolbar flickered one night. When it did it directed me to the BT Broadband page - that didn't happen the last time I re-registered. A few days after I re - registered as the BT home page was loading I saw another smaller window flash quickly in the top right hand corner over the top of the BT page Since this happened I think my account could be compromised especially with the phishing/pharming page that come up as well. Since this has happened with the modem lock issue my firewall program has been showing internet activity even when the modem has not been connected to the computer. I had to sign in again to the internet even though my password was correct from the bt portal page. When I've had Zone Alarm the firewall program (I don't that anymore now) - after a few per cent of being downloaded - it has cancelled itself and near the end on one occasion as well on the avg virus program.

Other things have happened to my computer like my free space on my disk drive has gone down by over 2 gb in two weeks and I haven't downloaded any programs and then it's gained 2gb again and it did it again like that - it's like someone has gained access to my computer through a trojan perhaps some software invading the BT Yahoo Browser or pretending to be. The Yahoo sidebar - the "Y" symbol seems to be missing and when I clicked on the link to download some BT Yahoo software updates I did and then I changed my mind but when I started my computer again it said when I connected to the internet "BT yahoo! Software Update - 1) Critical update successfully installed" The guest page of the BT homepage came up when I changed my password once and it prompted me to install a new BT mailhelper that was out of date in 2004. I've had a few pop-ups from Yahoo saying about new software or something. I've had a few pop - ups but haven't clicked on them one concerning music, one about finance also free jokes. The last one popped up when I clicked my town on the Odeon page. When I used to change my password I usually received an email confirming that the password was changed but in the last few months after the "phishing page" incident I haven't received an email confirming the password change. When I used to click on the bt icon to connect to the internet - because the computer was so slow it vanished for a few seconds and then reappeared again but the thing is the recycle bin icon at the exact same time did the same thing which was odd.

2 of my icons on my desktop went missing about three weeks ago and then came back again after I started the computer again. The 4 icons involved were Toshiba Warranty, Toshiba Services and Options, Toshiba User's Manual and Toshiba Console. It was 2 of these but I can't remember which 2 but I definitely know it was 2 of Toshiba's. On the BT home page little things like under one of the news section where there had been no news in the "last 3 days" - This happened a few times also my headline news section with the picture moved down my page without me doing anything. Another thing when I open up my email program Outlook Express it won't load the messages so there is an error message. My anti-virus email checker shows 16 lines of the bt server instead of 1. Before I installed Windows XP again I noticed the BT Mailhelper file was damaged in the "Downloaded Program Files" folder.

A few times my connection has been disconnected once when I just got on to my bt email page, once when I had downloaded a program called KeyScrambler to do with safeguarding keyloggers. Also small things have happened like when I scroll down the page on the internet it goes twice the speed it is supposed to and someone typed in some numbers when I was about to sign - in on the BT page - KeyScrambler shows it you see at the top of the screen. Once when I loaded the computer the "Network Connections" window came up and that was the night I couldn't get connected to the internet. That hasn't happened since. All this has happened since I installed Skype which was on the bebo page but I got rid of that though as it could have been spyware before I installed Windows XP.

- Printing - the wrong page was printed out twice and some printing jobs cancelled by themselves.
- Email - in some emails some symbols have appeared like euros, french acute with a hat over it inbetween some words, some where the apostrophe should be, a friend's email ended up in the junk emails folder, the 1st letter of a word deleted itself just after I had typed it, a few messages that had some sentences were deleted near the end, a few times just 1 word on one line and then the next word on another line, a letter has appeared a few times in front of a word like vetc instead of etc. Can emails be tampered with and has a trojan/worm got attached to my email account ?? - (I have Kaspersky Security and still this is happening as I were looking at emails the other night and the symbols happened again and when I was viewing that, the network connection lit up and it showed internet traffic going in and going out even when I was just looking at that email - no other processes were going on at the time.)
- Anti - Virus program - AVG - "Have you finished scanning?" came up all by itself when it was updating itself (I had that before I reinstalled). The Kaspersky program "updates" button turned from red to blue and then back to red when it was scanning offline. I scanned again on the Kaspersky Security Program for viruses but I stopped it halfway as I changed my mind but the thing after a few minutes the number of files scanned increased despite me pressing the stop button before.

- When I signed in to view emails once - a page came up "The All New BT Yahoo mail" but it wasn't in their usual logo - it was in block capitals and orange coloured letters and since I clicked on the "no thanks" button a letter in a word deleted itself without me doing anything after I have typed that word.
- In another forum I posted this message and a letter moved from another word to another one all by itself without my knowledge (I was at the library then) In this forum as I am typing this message on a couple of occasions the letter has vanished at the beginning of a word (when I was mentioning particular computer problems) - could a computer program have leached onto my account on that forum there and here as well ?

I noticed when I press the letters "r" on my keyboard when I opened the firewall program when I happened to be typing something (offline) "The BT sign - in portal page came up" and when I did the same when I was on the internet "the tutorial page of Zone Alarm" came up and when I was connected to the internet I tried "r" again and a new window opened up and that said Security Software Quick Start from the Zone Alarm website. Now the thing is that after I had I posted my message on the other forum, computer active I noticed when I press the letter "r" on my keyboard when I opened the firewall program when I happened to be typing something (offline) "The BT sign - in portal page came up" and when I did the same when I was on the internet "the tutorial page of Zone Alarm" came up and when I was connected to the internet I tried "r" again and a new window opened up and that said Security Software Quick Start - a while ago - when I pressed the "r" key when offline when on Zone Alarm then it wasn't the bt sign in portal page so that's strange - I am thinking that malware is responsible for that.

The game solitaire has a few times has displayed strange behaviour like 2 identical cards of the same suit coming up like two ace of clubs so I couldn't complete the game and when you click with the mouse to reveal the next card - it did 2 cards instead of 1 so it skipped over the first one. It happened once after windows was reinstalled - could malware alter game settings ? In some other emails - the website addresses at the bottom had a gap after the 8th word and a few other word broken into 2 - this originated on a dutch spiritual website where the shoutbox refreshed itself every minute - could malware been downloaded via that route ? On that website once in the word calendar - it first displayed it as ca then a square then the rest of the word followed after the square and then I scrolled page back up again and the word calendar went back to normal. A minute after that my internet connection disconnected and I couldn't get on at all for the rest of that night and some of the next day. On another website, in the title it changed from the word More and then when I went back to the headings page it changed to MOre - is that spyware causing that to happen ? On another website there were a letter that was there after a full stop and the next day it had vansihed. Is it possible for a website to be edited via malware ? The arrow key has moved by itself a few times and after the bt homepage has loaded up the last few times I have been on the internet the whole screen has flashed white for a second.

My internet connection has been disconnected just when I looked on emails once and several times when I have connected. When I tried to report these problems before to a friend on the phone - after that I had trouble getting on the internet and was being disconnected - once on the bt page, the google page when I had typed in a forum and once more when I was able to get on the forum and then couldn't dial - in at all for a few minutes like I was being stopped and some program making it hard for me. Is it possible for a phone to be tapped by spyware/malware and hacked into ? I know it's unlikely but I'm just asking.

When I re-registered again back onto bt - I couldn't sign back in because when I typed in the 1st 3 letters they wouldn't display at all like someone was controlling that and the network connections symbol lit up 6 times in a row when I said haha after each time - coincidence probably but the thing is the web page had loaded by then. The network connections icon lights up sometimes even when I am just looking at a page on the internet. This email problem with the symbols is still happening when I am at the library accessing them. Another time I opened up an email with the symbols in it and then the newtork connections icon lit up after it had been loaded and then my Kaspersky Security program detected a Helkern worm and then the night after it detected another one but I pressed the "clear" button and I weren't taken onto the "disinfection" tab that time like the 1st time - can malware alter the settings on a program ? The internet page has scrolled down by itself a couple of times, and when I signed in online I had to sign in again even though I had typed the correct username and password and it seemed all right after that. The thing is before in the terms and conditions of the hijackthis program when I installed it the first time (the word privacy was broken down pr on one line and on another line ivacy like it had been edited. My Kaspersky program detected a Helkern worm however though and I haven't had chance to update windows security patches yet.

I'm sorry this post is long but there has been lots of problems you see so here's my logs posted below so I hope you can help me to resolve all this, thanks.

Deckard's System Scanner v20071014.68
Run by Aaron on 2008-04-30 23:41:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-04-30 22:42:05 UTC - RP3 - Deckard's System Scanner Restore Point
2: 2008-04-23 23:44:16 UTC - RP2 - Installed Kaspersky Internet Security 7.0.
1: 2008-04-22 22:17:38 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 239 MiB (512 MiB recommended).


-- HijackThis (run as Aaron.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:42:49, on 30/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Lexmark 1300 Series\lxdcamon.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\Program Files\BT Yahoo! Internet\ModemLock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\Program Files\BT Yahoo! Internet\Watchdog.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Aaron\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Aaron.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BT Yahoo! Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [BTopenworld] "c:\program files\bt yahoo! internet\DialBTYahoo.exe" /ReInstallAutoDial
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [lxdcmon.exe] "C:\Program Files\Lexmark 1300 Series\lxdcmon.exe"
O4 - HKLM\..\Run: [lxdcamon] "C:\Program Files\Lexmark 1300 Series\lxdcamon.exe"
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {71057C18-0507-4747-86BC-E11CE7512C5F} (mailhelper Class) - https://register.btinternet.com/templates/b...lcontrol013.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - https://register.btinternet.com/templates/b...bcontrol028.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: BT Modem Lock - British Telecommunications plc - C:\Program Files\BT Yahoo! Internet\ModemLock.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe

--
End of file - 5270 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Netdevio (TOSHIBA Network Device Usermode I/O Protocol) - c:\windows\system32\drivers\netdevio.sys
R3 qkbfiltr (Quanta HotKey Keyboard Filter Driver) - c:\windows\system32\drivers\qkbfiltr.sys

S3 qmofiltr (Quanta HotKey Mouse Filter Driver) - c:\windows\system32\drivers\qmofiltr.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CFSvcs (ConfigFree Service) - c:\program files\toshiba\configfree\cfsvcs.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-04-22 23:17:27 258 --a------ C:\WINDOWS\Tasks\Registration reminder 3.job
2008-04-22 23:17:26 258 --a------ C:\WINDOWS\Tasks\Registration reminder 2.job
2008-04-22 23:17:25 258 --a------ C:\WINDOWS\Tasks\Registration reminder 1.job
2004-11-30 12:35:43 364 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job


-- Files created between 2008-03-30 and 2008-04-30 -----------------------------

2008-04-28 00:39:23 0 d-------- C:\Program Files\Lx_cats
2008-04-28 00:38:39 0 d-------- C:\logs
2008-04-28 00:22:17 0 d-------- C:\Program Files\Lexmark Toolbar
2008-04-28 00:21:33 0 d-------- C:\Program Files\Lexmark 1300 Series
2008-04-28 00:20:57 278528 --a------ C:\WINDOWS\system32\LXDCinst.dll
2008-04-28 00:20:56 323584 --a------ C:\WINDOWS\system32\LXDChcp.dll
2008-04-26 01:13:12 0 d-------- C:\Program Files\Trend Micro
2008-04-26 00:05:27 0 d-------- C:\Documents and Settings\Aaron\Application Data\Help
2008-04-24 00:52:07 0 d-------- C:\Documents and Settings\Aaron\Application Data\Macromedia
2008-04-24 00:45:03 96645 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-04-24 00:45:03 87941 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-04-24 00:44:27 0 d-------- C:\Program Files\Kaspersky Lab
2008-04-24 00:44:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-24 00:44:24 25888 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-04-24 00:44:24 910368 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-24 00:32:45 0 d---s---- C:\Documents and Settings\Aaron\UserData
2008-04-24 00:30:33 0 d-------- C:\Program Files\BT Yahoo! Internet
2008-04-23 23:52:30 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-23 23:41:16 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-04-22 23:17:56 0 d-------- C:\Documents and Settings\Default User\Nethood
2008-04-22 23:17:56 0 d-------- C:\Documents and Settings\Aaron\Nethood
2008-04-22 23:17:44 0 d--h----- C:\Documents and Settings\Aaron\Templates
2008-04-22 23:17:44 0 dr------- C:\Documents and Settings\Aaron\Start Menu
2008-04-22 23:17:44 0 dr-h----- C:\Documents and Settings\Aaron\SendTo
2008-04-22 23:17:44 0 dr-h----- C:\Documents and Settings\Aaron\Recent
2008-04-22 23:17:44 0 d--h----- C:\Documents and Settings\Aaron\PrintHood
2008-04-22 23:17:44 1310720 --ah----- C:\Documents and Settings\Aaron\NTUSER.DAT
2008-04-22 23:17:44 0 dr------- C:\Documents and Settings\Aaron\My Documents
2008-04-22 23:17:44 0 d--h----- C:\Documents and Settings\Aaron\Local Settings
2008-04-22 23:17:44 0 dr------- C:\Documents and Settings\Aaron\Favorites
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Desktop
2008-04-22 23:17:44 0 d---s---- C:\Documents and Settings\Aaron\Cookies
2008-04-22 23:17:44 0 dr-h----- C:\Documents and Settings\Aaron\Application Data
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Application Data\toshiba
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Application Data\Symantec
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Application Data\Sun
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Application Data\Identities
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Application Data\AdobeUM
2008-04-22 23:17:44 0 d-------- C:\Documents and Settings\Aaron\Application Data\Adobe
2008-04-22 23:17:31 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-04-22 23:17:19 0 d-------- C:\Documents and Settings\Default User\Application Data\toshiba
2008-04-22 23:17:19 0 d-------- C:\Documents and Settings\Default User\Application Data\Symantec
2008-04-22 23:17:19 0 d-------- C:\Documents and Settings\Default User\Application Data\Sun
2008-04-22 23:17:19 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-04-22 23:17:19 0 d-------- C:\Documents and Settings\Default User\Application Data\AdobeUM
2008-04-22 23:17:19 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-04-24 00:41:46 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-24 00:38:57 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [08/10/2004 08:31]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [08/10/2004 08:27]
"Toshiba Hotkey Utility"="C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" [10/12/2004 20:26]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [08/10/2004 14:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [08/10/2004 14:43]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [17/11/2004 11:56]
"NDSTray.exe"="NDSTray.exe" []
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [15/11/2004 10:14]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [02/02/2005 10:37]
"BTopenworld"="c:\program files\bt yahoo! internet\DialBTYahoo.exe" [24/04/2008 00:30]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [26/06/2007 16:53]
"lxdcmon.exe"="C:\Program Files\Lexmark 1300 Series\lxdcmon.exe" []
"lxdcamon"="C:\Program Files\Lexmark 1300 Series\lxdcamon.exe" [06/02/2007 00:32]
"LXDCCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [22/01/2007 23:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe" [05/09/2003 03:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 14:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [04/08/2004 02:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{537b34a1-4455-11d9-b92b-806d6172696f}]
AutoRun\command- D:\browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c2265a3-42cb-11d9-85f1-806d6172696f}]
AutoRun\command- E:\browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ba791153-4395-11d9-8be1-806d6172696f}]
AutoRun\command- E:\browser.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f6a9faf0-41df-11d9-a140-806d6172696f}]
AutoRun\command- D:\browser.exe




-- End of Deckard's System Scanner: finished at 2008-04-30 23:45:30 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® M processor 1.40GHz
Percentage of Memory in Use: 70%
Physical Memory (total/avail): 238.42 MiB / 70.61 MiB
Pagefile Memory (total/avail): 585.44 MiB / 308.73 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1947.34 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 33.45 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - TOSHIBA MK4032GAX - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton Internet Security v2005 (Symantec Corporation)
FW: Kaspersky Internet Security v7.0.0.124 (Kaspersky Lab)
AV: Norton Internet Security v2005 (Symantec Corporation)
AV: Kaspersky Internet Security v7.0.0.124 (Kaspersky Lab) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Lexmark 1300 Series\\app4r.exe"="C:\\Program Files\\Lexmark 1300 Series\\app4r.exe:*:Enabled:BorgListener"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\lxdccoms.exe"="C:\\WINDOWS\\system32\\lxdccoms.exe:*:Enabled:Lexmark Communications System"
"C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"="C:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe:*:Enabled:Lexmark Device Monitor"
"C:\\Program Files\\Lexmark 1300 Series\\App4R.exe"="C:\\Program Files\\Lexmark 1300 Series\\App4R.exe:*:Enabled:Lexmark Imaging Studio"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Aaron\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ZIRAMACSPORRAN
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Aaron
LOGONSERVER=\\ZIRAMACSPORRAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
TMP=C:\DOCUME~1\Aaron\LOCALS~1\Temp
USERDOMAIN=ZIRAMACSPORRAN
USERNAME=Aaron
USERPROFILE=C:\Documents and Settings\Aaron
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Aaron (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat - Reader 6.0.2 Update --> MsiExec.exe /I{AC76BA86-0000-0000-0000-6028747ADE01}
Adobe Reader 6.0.1 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7646-A00000000001}
BT Yahoo! Internet Connection Manager 9.0 --> C:\WINDOWS\UnSetupBTYahooBTopenworld9.0.exe /B:c:\program files\bt yahoo! internet\dialbtyahoo9.0br1.dll
CD/DVD Drive Acoustic Silencer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9FE35071-CAB2-4E79-93E7-BFC6A2DC5C5D}\Setup.exe" -l0x9
Conexant AC-Link Audio --> CIAunwdm.exe
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
INPROCOMM Wireless LAN --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4820DD99-52D1-42BB-927E-B6B6DF231AF5}\Setup.exe" -l0x9 UNINSTALL
Intel® Extreme Graphics 2 Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_3582
InterVideo WinDVD for TOSHIBA --> "C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Kaspersky Internet Security 7.0 --> MsiExec.exe /I{C774410D-3EF9-4DE7-AC01-332613163ECF}
Lexmark 1300 Series --> C:\Program Files\Lexmark 1300 Series\Install\x86\Uninst.exe
Lexmark Toolbar --> regsvr32.exe /s /u "C:\Program Files\Lexmark Toolbar\toolband.dll"
LiveUpdate 2.5 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Macromedia Flash Player --> MsiExec.exe /X{0456ebd7-5f67-4ab6-852e-63781e3f389c}
Microsoft Office OneNote 2003 --> MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Norton Internet Security --> MsiExec.exe /I{C9D599E1-6B68-4a1f-8A4F-A1DB433DB1BF}
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\Setup.exe" -l0x9 REMOVE
SoftV92 Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24C6&SUBSYS_FF311179\HXFSETUP.EXE -U -Itosff31k.inf
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TOSHIBA ConfigFree --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BDD83DC9-BEE9-4654-A5DA-CC46C250088D}\setup.exe" -l0x9 UNINSTALL
TOSHIBA Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3CF0858D-1AC5-4308-9DE7-AD15288A8BDC}\Setup.exe" -l0x9
TOSHIBA Manuals --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{188BA1CC-F3A1-49B0-A34D-8C861C64E1AE}\Setup.exe" -l0x9
TOSHIBA PC Diagnostic Tool --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B1310222-C64A-4E1E-ABE7-2489B33955FB}\Setup.exe" -l0x9 -uninst
Toshiba Touchpad Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{F77890F3-774A-4CBE-A2E3-7BB0DC71D1FA} /l1033
Toshiba Utility --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{099D12EC-0321-4CAC-A0CC-33D020156FCD} /l1033
TOSHIBA Zooming Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{64212898-097F-4F3F-AECA-6D34A7EF82DF}\setup.exe"
Touch and Launch --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5D96E2B1-D9AC-46E0-9073-425C5F63E338}\Setup.exe" -l0x9


-- Application Event Log -------------------------------------------------------

Event Record #/Type191 / Success
Event Submitted/Written: 04/28/2008 00:50:04 AM
Event ID/Source: 1102 / .NET Runtime Optimization Service
Event Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Event Record #/Type189 / Success
Event Submitted/Written: 04/28/2008 00:49:56 AM
Event ID/Source: 1102 / .NET Runtime Optimization Service
Event Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.RegularExpressions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Event Record #/Type187 / Success
Event Submitted/Written: 04/28/2008 00:49:56 AM
Event ID/Source: 1102 / .NET Runtime Optimization Service
Event Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web.Mobile, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Event Record #/Type185 / Success
Event Submitted/Written: 04/28/2008 00:49:46 AM
Event ID/Source: 1102 / .NET Runtime Optimization Service
Event Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

Event Record #/Type183 / Success
Event Submitted/Written: 04/28/2008 00:49:19 AM
Event ID/Source: 1102 / .NET Runtime Optimization Service
Event Description:
.NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Succesfully compiled: System.Transactions, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type399 / Error
Event Submitted/Written: 04/28/2008 01:09:33 AM
Event ID/Source: 6161 / Print
Event Description:
The document http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ owned by Aaron failed to print on printer Lexmark 1300 Series. Data type: LEMF. Size of the spool file in bytes: 5812578. Number of bytes printed: 5812578. Total number of pages in the document: 10. Number of pages printed: 0. Client machine: \\ZIRAMACSPORRAN. Win32 error code returned by the print processor: http://www.bleepingcomputer.com/forums/topic34773.html0. http://www.bleepingcomputer.com/forums/topic34773.html1

Event Record #/Type398 / Error
Event Submitted/Written: 04/28/2008 01:08:01 AM
Event ID/Source: 6161 / Print
Event Description:
The document http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/ owned by Aaron failed to print on printer Lexmark 1300 Series. Data type: LEMF. Size of the spool file in bytes: 5809242. Number of bytes printed: 0. Total number of pages in the document: 10. Number of pages printed: 2. Client machine: \\ZIRAMACSPORRAN. Win32 error code returned by the print processor: http://www.bleepingcomputer.com/forums/topic34773.html0. http://www.bleepingcomputer.com/forums/topic34773.html1

Event Record #/Type378 / Warning
Event Submitted/Written: 04/28/2008 00:38:39 AM
Event ID/Source: 20 / Print
Event Description:
Printer Driver Lexmark 1300 Series for Windows NT x86 Version-3 was added or updated. Files:- lxdcdr.dll, lxdcptpc.dll, lxdcptpc.dll, lxdchelp.chm, lxdcasnc.dll, lxdcalgn.out, lxdcbubl.dll, lxdccats.dll, lxdccfg.dll, lxdccfg.xml, lxdccfgx.exe, lxdccaln.out, lxdccln.out, lxdcclr1.lut, lxdcclr2.lut, lxdcclr3.lut, lxdcdlfw.out, lxdccomx.dll, lxdccu.dll, lxdccub.dll, lxdccur.dll, lxdcdatr.dll, lxdcdrui.dll, lxdcdtst.bmp, lxdcdtst.jpg, lxdcedf.dll, lxdceula.txt, lxdcgf.dll, lxdchps.dll, lxdcins.dll, lxdcinsb.dll, lxdcinsr.dll, lxdcjsw.dll, lxdcjswb.dll, lxdcjswr.dll, lxdcjswx.exe, lxdckaln.out, lxdclnks.dll, lxdclpa.dll, lxdclpab.dll, lxdclpar.dll, lxdcphal.out, lxdcphcl.out, lxdcppx.dll, lxdcprod.ver, lxdcprp.dll, lxdcprpb.dll, lxdcprpr.dll, lxdcpsw.dll, lxdcpswb.dll, lxdcpswr.dll, lxdcpswx.exe, lxdcretv.dll, lxdcrme.doc, lxdcserv.exe, lxdcsk0.dll, lxdctime.dll, lxdctime.exe, lxdculdr.dll, lxdcupd.dll, lxdcupdb.dll, lxdcupdr.dll, lxdcupld.exe, lxdcuplr.dll, lxdcutil.dll, lxdcview.exe, lxdcwbgc.dll, lxdcwbgw.exe, lxdcwavs.exe, lxdcwww.htm, lxdcxmlu.dll.

Event Record #/Type299 / Warning
Event Submitted/Written: 04/25/2008 11:49:12 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 000E9BA8E417. The IP address being used is 169.254.97.57.

Event Record #/Type264 / Error
Event Submitted/Written: 04/25/2008 11:35:18 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
The Computer Browser service terminated with the following error:
%%1460



-- End of Deckard's System Scanner: finished at 2008-04-30 23:45:30 ------------

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:12:31 AM

Posted 21 May 2008 - 01:10 PM

Hello Liam162 and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately and. If you are still having problems, then please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

When posting your log, please make sure you post the HijackThis log as a reply and not as an attachment. If we do not hear back from you within a couple of days we will need to close your topic.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users