Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Word "crap" Is Added To Document Or Email After Smitfraud Was Removed


  • Please log in to reply
5 replies to this topic

#1 Richard Hufford

Richard Hufford

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 02 June 2008 - 08:26 AM

I removed the SmitFraud trojan from a customer's computer, and she reported that when she composed an email, the word "crap" appeared in her email three times. Sometimes, she composes her emails using MS Word and copies and pastes to Outlook Express, and she could not remember if she used Word this time or composed the email in OE directly.

I removed SmitFraud using SmitRem, SmitFraudFix, RogueRemover, and CCleaner. The first time I did this, she encountered some remaining spyware the next day (XP Antivirus?), so I did the same thing and then followed up with a Hijack This log. I removed an entry that referred to "BrowsingSoftware", and that took care of most of the problem. Then, a few days later, she encountered her "crap" problem.

I then tried running RogueRemover again. It did not find any problems, so I ran DSS and I am posting the logs from that run.

I should probably mention that my customer is blind, and JFW refers to Jaws for Windows, which is a program that reads windows aloud. It is always running. If I do anything that affects Jaws, my customer will be very upset.

Here are the logs. Please let me know if anything looks out of place.

Deckard's System Scanner v20071014.68
Run by Sarah on 2008-05-30 14:04:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
15: 2008-05-30 21:04:12 UTC - RP480 - Deckard's System Scanner Restore Point
14: 2008-05-30 20:40:06 UTC - RP479 - Installed AVG Free 8.0
13: 2008-05-30 10:24:48 UTC - RP478 - System Checkpoint
12: 2008-05-29 10:00:22 UTC - RP477 - Software Distribution Service 3.0
11: 2008-05-29 07:48:07 UTC - RP476 - System Checkpoint


-- First Restore Point --
1: 2008-05-17 00:26:31 UTC - RP466 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 480 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-30 14:05:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgemc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Caere\OmniPagePro10.0\OPware32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\richard\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar3.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [OmniPage] C:\Program Files\Caere\OmniPagePro10.0\opware32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [32004709910803642326737834957100] C:\Program Files\XP Antivirus\xpa.exe
O4 - Global Startup: Audio Spooler.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sarah\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: JFWService - Freedom Scientific BLV Group, LLC - C:\Program Files\Freedom Scientific\JAWS\8.0\jfw.exe
O23 - Service: MtRepair1 - Unknown owner - C:\WINDOWS\system32\MtRepair1.exe
O23 - Service: MtRepair2 - Unknown owner - C:\WINDOWS\system32\MtRepair2.exe


--
End of file - 5818 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>
R3 AgereSoftModem (Agere Systems Soft Modem) - c:\windows\system32\drivers\agrsm.sys <Not Verified; Agere Systems; Agere SoftModem Driver>

S3 {DEF85C80-216A-43ab-AF70-1665EDBE2780} - c:\windows\temp\617.tmp (file missing)
S3 GMSIPCI - d:\install\gmsipci.sys (file missing)
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20060410.080\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 MtRepair1 - "c:\windows\system32\mtrepair1.exe" -serv (file missing)
S4 MtRepair2 - "c:\windows\system32\mtrepair2.exe" -serv (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-04-30 and 2008-05-30 -----------------------------

2008-05-30 13:40:38 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-30 13:40:31 0 d-------- C:\Program Files\AVG
2008-05-30 13:40:30 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-30 13:39:51 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-05-28 11:45:14 0 d-------- C:\WINDOWS\system32\LogFiles
2008-05-25 11:10:09 0 d-------- C:\Program Files\Winamp
2008-05-25 11:10:09 0 d-------- C:\Documents and Settings\Sarah\Application Data\Winamp
2008-05-23 14:32:24 0 dr-h----- C:\Documents and Settings\Sarah\Recent
2008-05-23 13:35:43 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-05-23 13:26:21 72192 --a------ C:\WINDOWS\system32\taskkill.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-23 13:21:34 0 d-------- C:\Program Files\CCleaner
2008-05-23 13:16:09 0 d-------- C:\richard
2008-05-19 15:44:24 2750 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-19 15:31:20 0 d-------- C:\Program Files\RogueRemover FREE
2008-05-16 18:39:19 73 --a------ C:\WINDOWS\system32\ssprs.dll
2008-05-16 18:39:19 1025 --a------ C:\WINDOWS\system32\clauth2.dll
2008-05-16 18:39:19 1025 --a------ C:\WINDOWS\system32\clauth1.dll
2008-05-16 18:38:11 0 d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2008-05-16 18:38:10 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-05-16 15:24:42 0 d-------- C:\Program Files\Lavasoft
2008-05-16 15:24:42 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-16 15:24:10 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-10 09:36:08 0 --ahs---- C:\Documents and Settings\Sarah\Application Data\004825bef2b925c42d209102baf7ebd8e8b245f385e966ef01.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-30 14:00:53 2000000 --a-----t C:\WINDOWS\system32\HJSMEM.DAT
2008-05-30 14:00:47 205 --a------ C:\WINDOWS\system32\rq6v51h.dll
2008-05-25 11:14:07 0 d-------- C:\Documents and Settings\Sarah\Application Data\LimeWire
2008-05-23 14:17:04 0 d-------- C:\Program Files\BrowsingSoftware
2008-05-22 20:03:10 0 d-------- C:\Program Files\LimeWire
2008-05-16 17:03:43 0 d--h----- C:\Program Files\Freedom Scientific Installation Information
2008-05-16 15:43:15 33 --a------ C:\Documents and Settings\Sarah\Application Data\install.ini
2008-05-16 15:24:10 0 d-------- C:\Program Files\Common Files
2008-05-15 13:04:38 392 --a------ C:\WINDOWS\system32\winsusrm.dll
2008-04-29 18:59:03 0 d-------- C:\Program Files\FBrowserAdvisor
2008-04-07 16:44:27 0 d-------- C:\Documents and Settings\Sarah\Application Data\MSN6
2008-04-07 16:08:25 0 d-------- C:\Documents and Settings\Sarah\Application Data\MSNInstaller
2008-04-07 16:07:25 0 d-------- C:\Program Files\MSN Messenger
2008-03-31 21:22:47 0 d-------- C:\Documents and Settings\Sarah\Application Data\KESI


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [07/13/2002 12:15 AM]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [09/14/2002 08:42 AM]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [07/09/2001 04:50 PM]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/04/2004 05:00 AM]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [08/04/2004 05:00 AM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/04/2004 05:00 AM]
"SiSPower"="SiSPower.dll" [11/10/2005 07:28 PM C:\WINDOWS\system32\SiSPower.dll]
"AGRSMMSG"="AGRSMMSG.exe" [10/08/2004 09:50 AM C:\WINDOWS\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [12/01/2004 07:54 AM C:\WINDOWS\SOUNDMAN.EXE]
"OmniPage"="C:\Program Files\Caere\OmniPagePro10.0\opware32.exe" [10/14/1999 10:50 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [04/01/2008 11:49 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [05/30/2008 01:40 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 09:24 AM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 05:00 AM]
"32004709910803642326737834957100"="C:\Program Files\XP Antivirus\xpa.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Audio Spooler.lnk - C:\WINDOWS\Installer\{2174D448-F6A7-49EC-B42D-67FE626094E9}\AudioSpooler.exe [1/19/2008 10:41:00 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 1:15:54 AM]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [5/6/2005 9:44:44 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- Z:\Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cc32ae1a-7e33-11da-9c2a-001109be1dee}]
AutoRun\command- I:\LaunchU3.exe




-- End of Deckard's System Scanner: finished at 2008-05-30 14:06:19 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.06GHz
CPU 1: Intel® Pentium® 4 CPU 3.06GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 479.48 MiB / 177.25 MiB
Pagefile Memory (total/avail): 1122.81 MiB / 860.2 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1916.28 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 184.13 GiB total, 171.51 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)

\\.\PHYSICALDRIVE0 - ST3200826A - 186.31 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 184.13 GiB - C:
\PARTITION1 - Unknown - 2.18 GiB

\\.\PHYSICALDRIVE1 - Foxconn CF USB2.0 Reade USB Device

\\.\PHYSICALDRIVE4 - Foxconn MS USB2.0 Reade USB Device

\\.\PHYSICALDRIVE3 - Foxconn SD USB2.0 Reade USB Device

\\.\PHYSICALDRIVE2 - Foxconn SM USB2.0 Reade USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

AV: AVG v8.0 (AVG Technologies) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE"="C:\\Program Files\\Freedom Scientific\\Activator\\1.1\\FSACTIVATE.EXE:*:Enabled:Client Activator"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Sarah\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=SALLY_XP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Sarah
LOGONSERVER=\\SALLY_XP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0409
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Sarah\LOCALS~1\Temp
TMP=C:\DOCUME~1\Sarah\LOCALS~1\Temp
USERDOMAIN=SALLY_XP
USERNAME=Sarah
USERPROFILE=C:\Documents and Settings\Sarah
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Sarah (admin)
Administrator (admin)
Guest (guest)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\PROGRA~1\Yahoo!\Common\unyt.exe
--> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E06E4F4E-72D6-4497-BFFD-BCB43077C2F4}\setup.exe" -l0x9 -uninst
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Flash Player 9 --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Agere Systems PCI Soft Modem --> agrsmdel
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Before You Know It 3.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{92EF1E38-3933-411E-9A39-9FA560EC2CD8}\Setup.exe" -l0x9
BrowsingSoftware --> C:\Program Files\BrowsingSoftware\uninstall.exe
Caere Scan Manager 5.0 --> MsiExec.exe /I{81D62C32-0984-11D3-86CD-00105AD33021}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Conexant D850 56K V.9x DFVc Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F20&SUBSYS_200F14F1\HXFSETUP.EXE -U -Idel200fk.inf
DBT 10.6 SR4 --> MsiExec.exe /I{8D2D7E34-FF4D-4F01-A2FB-7192418B82CF}
EZT --> MsiExec.exe /I{4CCD7A06-1C0E-4C6D-BBB9-1472A9685AF8}
FMC --> MsiExec.exe /I{FBFDEBCC-5018-47FE-AC6A-9ED61E78DAD9}
Freedom Scientific Braille --> MsiExec.exe /I{967C1374-BCB3-42AA-AE08-A5C56A956ACE}
Freedom Scientific Document Server --> MsiExec.exe /I{9FAB7FA0-1BCC-4F37-9EAD-5C2F05C5EAA4}
Freedom Scientific JAWS 8.0 --> C:\Program Files\Freedom Scientific Installation Information\356DE2A8-01EB-464e-9C33-0EEA3F923000-800\UninstallJAWS.exe
Freedom Scientific JAWS 8.0 --> MsiExec.exe /I{D74A3A69-851C-447E-83D1-702E60A7258D}
Freedom Scientific Synthesizer Eloquence --> MsiExec.exe /X{F4DA19E5-A560-4313-8623-3493DCE3C681}
Freedom Scientific Talking Installer 8.0 --> MsiExec.exe /X{72BA5188-DF38-48DD-BB7D-C7D778890124}
Freedom Scientific Talking Installer 9.0 --> MsiExec.exe /X{A22A0E14-70C5-43F5-A254-32907377541A}
Freedom Scientific Utilities --> MsiExec.exe /I{1F19423A-6072-44BC-8E03-3C645ED2301F}
Freedom Scientific Video Intercept --> msiexec /i {6EC9AEA4-4B16-4C2B-B760-6F378A7577B6}
Freedom Scientific Video Intercept --> MsiExec.exe /I{6EC9AEA4-4B16-4C2B-B760-6F378A7577B6}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 1.99.1 --> C:\richard\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Java™ 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
JAWS 4.50 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C0130074-DAAC-4ED9-82D2-A85ADA9CE632}\setup.exe"
Kurzweil 1000 v.11 --> MsiExec.exe /I{2174D448-F6A7-49EC-B42D-67FE626094E9}
LimeWire 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Malwarebytes' RogueRemover --> "C:\Program Files\RogueRemover FREE\unins000.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Sarah\Application Data\Move Networks\ie_bin\Uninst.exe
MSN --> C:\Program Files\MSN\MsnInstaller\msniadm.exe /Action:ARP
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600820}
Nero Suite --> C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
Netflix Movie Viewer --> MsiExec.exe /X{B6272BAC-1A51-4418-933D-E6FC6C7DC42D}
OmniPage Pro 10.0 --> MsiExec.exe /I{1C0094B0-E0A0-11D2-8E60-000086188D94}
PCI SoftV92 Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2F30&SUBSYS_205514F1\HXFSETUP.EXE -U -IPSCRCTR5K.INF
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Sentinel System Driver --> MsiExec.exe /I{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}
SiS VGA Utilities --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem7.inf
SiSAGP driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC226AC9-0314-496C-BE6A-B6A132628466}\setup.exe" -l0x9
Winamp --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type2067 / Error
Event Submitted/Written: 05/30/2008 01:40:16 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application avgcc.exe, version 7.5.0.522, faulting module unknown, version 0.0.0.0, fault address 0x83df171c.
Processing media-specific event for [avgcc.exe!ws!]

Event Record #/Type2056 / Error
Event Submitted/Written: 05/27/2008 11:20:10 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application jfw.exe, version 8.0.2173.2, faulting module unknown, version 0.0.0.0, fault address 0x001a9080.
Processing media-specific event for [jfw.exe!ws!]

Event Record #/Type2051 / Error
Event Submitted/Written: 05/26/2008 06:33:26 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2050 / Error
Event Submitted/Written: 05/26/2008 06:33:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2049 / Error
Event Submitted/Written: 05/26/2008 06:33:25 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type9862 / Error
Event Submitted/Written: 05/30/2008 01:59:34 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type9861 / Error
Event Submitted/Written: 05/30/2008 01:58:35 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service StiSvc with arguments ""
in order to run the server:
{A1F4E726-8CF1-11D1-BF92-0060081ED811}

Event Record #/Type9860 / Error
Event Submitted/Written: 05/30/2008 01:57:35 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type9859 / Error
Event Submitted/Written: 05/30/2008 01:54:34 PM
Event ID/Source: 7026 / Service Control Manager
Event Description:
The following boot-start or system-start driver(s) failed to load:
AFD
AvgLdx86
AvgMfx86
Fips
intelppm
IPSec
MRxSmb
NetBIOS
NetBT
RasAcd
Rdbss
Tcpip

Event Record #/Type9858 / Error
Event Submitted/Written: 05/30/2008 01:54:34 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error:
%%31



-- End of Deckard's System Scanner: finished at 2008-05-30 14:06:19 ------------

BC AdBot (Login to Remove)

 


#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:19 PM

Posted 29 June 2008 - 08:15 PM

Hello Richard Hufford

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

You have some nasty stuff on this system that needs to be removed.


I need to see a Hijackthis log please.


Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 Richard Hufford

Richard Hufford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 30 June 2008 - 10:03 AM

I can't get a Hijack This log right away, because the owner of the computer has been out of town. The last time I talked to her, though, she seemed to think her problems were resolved. I have to admit, though, that I did not do anything that I believe fixed the "crap" problem--It hasn't happened again, and I'm hoping she misinterpreted something her screen reader (Jaws) said. Did you actually recognize some nasty stuff, so I'd better post a new log?

#4 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:19 PM

Posted 30 June 2008 - 11:18 AM

Hello Richard,

C:\Program Files\XP Antivirus <-- This is a rogue anti virus program that you do not want on your system, its actually a trojan masquerading as a legit program. :thumbsup:

I will keep this thread open for you for about 2 weeks or so if you want to post a HJT log and proceed.

Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#5 Richard Hufford

Richard Hufford
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:01:19 PM

Posted 30 June 2008 - 01:23 PM

Thanks, Ken. I thought I got rid of that one. I'd like to claim that I deleted XP antivirus from the Program Files folder, but I'd better go back and make sure. I'll try to submit a new Hijack This log in the next week.
-Richard

#6 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:19 PM

Posted 30 June 2008 - 04:59 PM

Richard,

These types of program don't usually go away using the Add Remove programs, that's why there considered a trojan.

I'll be here

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users