Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Son's Computer - Trojans: Systemsdefender, Fakegina, Backdoor Agent


  • This topic is locked This topic is locked
16 replies to this topic

#1 cougar1rose

cougar1rose

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 09 August 2008 - 09:27 PM

My son's computer is also infected: windows xp home 2002, Dell Dim 4400 Pentium4

Antispyware scans found: trojan.win32.fakegina.ao, backdoor.win32.agent.mj

IMPORTANT NOTE: As I was posting this log, I got a popup from IE mimicking microsoft's security center & a button to install antispyware. The website url began: systems-defender.com/freeware (i take it this computer is infected with systems defender malware)

I also noticed when I sent to system properties under General tab there was a message under Registered to: VIRUS ALERT! I've never seen that before.

Please advise how to help remove infections. I've posted both deckards log and kapersky. I was not able to download hijack this, something prevented me when I tried thru deckards scanner.

Thank you.
Julie

Deckard's System Scanner v20071014.68
Run by Admin on 2008-08-09 21:56:48
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
59: 2008-08-10 01:56:59 UTC - RP59 - Deckard's System Scanner Restore Point
58: 2008-08-09 18:32:55 UTC - RP58 - System Checkpoint
57: 2008-08-07 23:17:27 UTC - RP57 - System Checkpoint
56: 2008-08-06 23:05:49 UTC - RP56 - System Checkpoint
55: 2008-08-05 22:42:54 UTC - RP55 - System Checkpoint


-- First Restore Point --
1: 2008-07-19 20:43:27 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 256 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-09 21:58:28
Platform: Windows XP (5.01.2600)
MSIE: Internet Explorer (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Documents and Settings\Admin\Desktop\dss.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A3538EE-4578-4968-A8F2-9042E5EB074C} - (no file)
O2 - BHO: (no name) - {2A65BE74-EC8D-401E-93DF-5BDA3DC05505} - C:\WINDOWS\System32\hgGwUoNE.dll (file missing)
O2 - BHO: (no name) - {526E77D2-4402-4D65-BA6B-F7542B9011E7} - C:\WINDOWS\System32\jkkKEXNG.dll (file missing)
O2 - BHO: {fa72a58b-5096-124b-7d24-d5efa8d4f0e6} - {6e0f4d8a-fe5d-42d7-b421-6905b85a27af} - C:\WINDOWS\System32\worcnd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: QXK Olive - {87F4CB3B-57AE-4E72-9230-7DE6A3FED185} - C:\WINDOWS\kgxmotapwnr.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [2c853f44] rundll32.exe "C:\WINDOWS\System32\mtrfqglf.dll",b
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\Web\related.htm
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: hgGwUoNE - C:\WINDOWS\System32\hgGwUoNE.dll (file missing)
O21 - SSODL: evgratsm - {21935D7A-55C0-4F2F-8482-B27781C2E3C4} - C:\WINDOWS\evgratsm.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


--
End of file - 4326 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.5.3.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.5.3.0>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 HTTP - c:\windows\system32\drivers\http.sys (file missing)
S3 ip6fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 nv - c:\windows\system32\drivers\nv4_mini.sys (file missing)
S3 RTLWUSB (NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver) - c:\windows\system32\drivers\wg111v2.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&268D196D&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&268D196D&0
Service: i8042prt


-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 16:11:54 0 d-------- C:\Documents and Settings\Admin\Application Data\Sun
2008-08-09 13:59:29 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:59:18 0 d-------- C:\Program Files\SpywareBlaster
2008-08-09 13:47:12 0 d-------- C:\Program Files\a-squared Free
2008-08-09 13:41:46 0 d-------- C:\Documents and Settings\Admin\Application Data\Macromedia
2008-08-09 13:41:46 0 d-------- C:\Documents and Settings\Admin\Application Data\Adobe
2008-08-02 09:32:11 0 d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-08-02 09:26:58 0 d-------- C:\Program Files\Audacity
2008-08-02 09:12:16 118784 --a------ C:\WINDOWS\System32\Msstdfmt.dll <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-08-02 09:12:16 221184 --a------ C:\WINDOWS\System32\lame_enc.dll
2008-08-02 09:12:15 356352 --a------ C:\WINDOWS\System32\NCTWMAFile.dll <Not Verified; NCT Company; NCTWMAFile ActiveX DLL>
2008-08-02 09:12:15 270336 --a------ C:\WINDOWS\System32\NCTAudioRecord.dll <Not Verified; NCT Company; NCTAudioRecord ActiveX DLL>
2008-08-02 09:12:15 274432 --a------ C:\WINDOWS\System32\NCTAudioPlayer.dll <Not Verified; NCT Company; NCTAudioPlayer ActiveX DLL>
2008-08-02 09:12:15 1093632 --a------ C:\WINDOWS\System32\NCTAudioFile.dll <Not Verified; NCT Company; NCTAudioFile ActiveX DLL>
2008-08-02 09:12:15 0 d-------- C:\Program Files\XAudioTools
2008-07-31 14:27:41 0 d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-07-31 14:27:30 0 d-------- C:\Documents and Settings\Admin\Application Data\Mozilla
2008-07-27 11:53:20 0 d-------- C:\WINDOWS\privacy_danger
2008-07-27 10:14:24 0 d---s---- C:\Documents and Settings\Admin\UserData
2008-07-27 10:11:59 0 d-------- C:\Program Files\Belkin
2008-07-19 16:43:13 690689 --ahs---- C:\WINDOWS\System32\GNXEKkkj.ini2
2008-07-19 16:36:05 368640 --a------ C:\WINDOWS\kvxqmtre.dll
2008-07-19 16:36:05 102400 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-19 16:36:04 274432 --a------ C:\WINDOWS\evgratsm.dll
2008-07-19 16:34:05 0 d-------- C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL
2008-07-18 18:06:44 0 d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
2008-07-16 15:39:06 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2008-07-14 10:47:18 0 d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-14 10:34:52 0 d-------- C:\Program Files\CyberLink
2008-07-12 23:33:15 0 d-------- C:\WINDOWS\.jagex_cache_32


-- Find3M Report ---------------------------------------------------------------

2008-08-06 22:36:22 0 d-------- C:\Program Files\Cheat Engine
2008-07-27 10:26:05 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-16 15:23:44 0 d-------- C:\Program Files\Messenger
2008-07-16 11:51:37 0 d-------- C:\Program Files\Java
2008-06-26 12:09:49 78994 --a------ C:\WINDOWS\hpfins05.dat
2008-06-23 09:00:11 0 d-------- C:\Program Files\Windows NT
2008-06-23 08:59:50 0 d-------- C:\Program Files\Movie Maker
2008-06-19 19:54:21 0 d-------- C:\Documents and Settings\Admin\Application Data\Identities
2008-06-19 19:42:48 0 d-------- C:\Program Files\AVG
2008-06-18 23:39:10 0 d-------- C:\Program Files\MSXML 4.0
2008-06-17 18:15:04 0 d-------- C:\Program Files\Common Files\SourceTec
2008-06-17 18:15:01 0 d-------- C:\Program Files\Common Files
2008-06-17 18:14:48 0 d-------- C:\Program Files\SourceTec
2008-06-17 17:23:19 0 d-------- C:\Program Files\Paint.NET
2008-06-17 17:05:43 0 d-------- C:\Program Files\MSBuild
2008-06-17 17:05:31 0 d-------- C:\Program Files\Reference Assemblies
2008-06-17 17:00:38 0 d-------- C:\Program Files\MSXML 6.0
2008-06-16 21:30:17 1160 --a------ C:\WINDOWS\mozver.dat
2008-06-16 20:32:32 0 --a------ C:\WINDOWS\nsreg.dat
2008-06-16 14:50:53 0 d--h----- C:\Program Files\WindowsUpdate
2008-06-14 19:50:37 0 d-------- C:\Program Files\LimeWire
2008-06-14 17:39:49 0 d-------- C:\Program Files\Common Files\Java
2008-06-14 15:54:15 0 d-------- C:\Program Files\AIM6
2008-06-14 15:54:06 0 d-------- C:\Program Files\Viewpoint
2008-06-14 15:53:42 0 d-------- C:\Program Files\Common Files\AOL
2008-06-11 21:34:47 0 d-------- C:\Program Files\Common Files\HP
2008-06-11 21:34:46 0 d-------- C:\Program Files\HP
2008-06-11 21:34:06 0 d-------- C:\Program Files\Hewlett-Packard
2008-06-07 20:23:19 0 -rahs---- C:\MSDOS.SYS
2008-06-07 20:23:19 0 -rahs---- C:\IO.SYS
2008-06-07 20:23:19 0 --a------ C:\CONFIG.SYS
2008-06-07 20:23:19 0 --a------ C:\AUTOEXEC.BAT
2008-06-07 20:20:40 21640 --a------ C:\WINDOWS\System32\emptyregdb.dat
2008-06-07 16:07:29 62 --ahs---- C:\Documents and Settings\Admin\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A3538EE-4578-4968-A8F2-9042E5EB074C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}]
C:\WINDOWS\System32\hgGwUoNE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{526E77D2-4402-4D65-BA6B-F7542B9011E7}]
C:\WINDOWS\System32\jkkKEXNG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6e0f4d8a-fe5d-42d7-b421-6905b85a27af}]
C:\WINDOWS\System32\worcnd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87F4CB3B-57AE-4E72-9230-7DE6A3FED185}]
C:\WINDOWS\kgxmotapwnr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [08/18/2005 07:41 AM]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [05/11/2005 11:12 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [07/13/2008 09:38 AM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [01/12/2005 03:01 AM]
"2c853f44"="C:\WINDOWS\System32\mtrfqglf.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - C:\Program Files\Belkin\F5D8053\Belkinwcui.exe [9/17/2007 6:15:30 PM]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/11/2005 11:23:26 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2A65BE74-EC8D-401E-93DF-5BDA3DC05505}"= C:\WINDOWS\System32\hgGwUoNE.dll [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"evgratsm"= {21935D7A-55C0-4F2F-8482-B27781C2E3C4} - C:\WINDOWS\evgratsm.dll [07/19/2008 10:35 AM 274432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwUoNE]
hgGwUoNE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\jkkKEXNG
"Notification Packages"= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - A2FREE



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8724 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-09 21:59:22 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600)
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.00GHz
Percentage of Memory in Use: 63%
Physical Memory (total/avail): 255.3 MiB / 92.3 MiB
Pagefile Memory (total/avail): 618.58 MiB / 429.88 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1936.63 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.24 GiB total, 28.39 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD400BB-75FJA1 - 37.25 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.24 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Admin\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=V-K8KPSOARLSO82
ComSpec=C:\WINDOWS\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Admin
LOGONSERVER=\\V-K8KPSOARLSO82
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0204
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
TMP=C:\DOCUME~1\Admin\LOCALS~1\Temp
USERDOMAIN=V-K8KPSOARLSO82
USERNAME=Admin
USERPROFILE=C:\Documents and Settings\Admin
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

andrew (admin)
Admin (admin)
Maya (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
a-squared Free 3.5 --> "C:\Program Files\a-squared Free\unins000.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\System32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop Album 2.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A367C28-423C-48E2-8C76-EBA1171F932A}\apxp.ex_" -l0x9
Adobe Reader 6.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-000000000001}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
Audacity 1.2.6 --> "C:\Program Files\Audacity\unins000.exe"
Audio MP3/WMA Recorder --> C:\PROGRA~1\XAUDIO~1\ADVANC~1\UNWISE.EXE C:\PROGRA~1\XAUDIO~1\ADVANC~1\INSTALL.LOG
AVG Free 8.0 --> C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Belkin F5D8053 N Wireless USB Adapter --> C:\Program Files\InstallShield Installation Information\{E6607F5B-50E7-4B54-81B7-F0600E3C8CF4}\setup.exe -runfromtemp -l0x0409
Cheat Engine 5.1.1 --> "C:\Program Files\Cheat Engine\unins000.exe"
HP Deskjet 3900 series --> C:\Program Files\HP\Digital Imaging\{3819891A-030B-4a4e-98ED-B28A649E48AB}\setup\hpzscr01.exe -datfile hpfscr05.dat
HP Image Zone Express --> MsiExec.exe /X{FE64AE29-0883-4C70-8388-DC026019C900}
HP Imaging Device Functions 5.0 --> C:\Program Files\HP\Digital Imaging\DigitalImagingMonitor\hpzscr01.exe -datfile hpqbud01.dat
HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
HP Solution Center & Imaging Support Tools 5.0 --> C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
LimeWire 4.18.2 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Works --> MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Paint.NET v3.31 --> MsiExec.exe /X{51AFB69C-1C54-4C77-A888-2860F8CD3E7D}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
Sothink SWF Quicker --> "C:\Program Files\SourceTec\Sothink SWF Quicker\unins000.exe"
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WebVideo Support --> C:\WINDOWS\agpqlrfm.exe
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
XML Paper Specification Shared Components Pack 1.0 -->


-- Application Event Log -------------------------------------------------------

Event Record #/Type558 / Error
Event Submitted/Written: 08/06/2008 00:10:30 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x0004f029.

Event Record #/Type557 / Error
Event Submitted/Written: 08/06/2008 11:36:19 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module npswf32.dll, version 9.0.124.0, fault address 0x0008b096.

Event Record #/Type552 / Error
Event Submitted/Written: 08/05/2008 00:16:22 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x0004f029.

Event Record #/Type551 / Error
Event Submitted/Written: 08/04/2008 05:00:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x0004f029.

Event Record #/Type550 / Error
Event Submitted/Written: 08/04/2008 05:00:04 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application firefox.exe, version 1.8.20080.4669, faulting module msvcr80.dll, version 8.0.50727.1433, fault address 0x0004f029.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type6299 / Error
Event Submitted/Written: 08/09/2008 04:10:56 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The a-squared Free Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type6298 / Error
Event Submitted/Written: 08/09/2008 04:10:42 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated unexpectedly. It has done this 2 time(s).

Event Record #/Type6295 / Error
Event Submitted/Written: 08/09/2008 04:10:39 PM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The AVG8 WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type6292 / Error
Event Submitted/Written: 08/09/2008 04:10:36 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The AVG8 E-mail Scanner service terminated unexpectedly. It has done this 2 time(s).

Event Record #/Type6289 / Error
Event Submitted/Written: 08/09/2008 04:10:29 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The AVG8 E-mail Scanner service terminated unexpectedly. It has done this 1 time(s).



-- End of Deckard's System Scanner: finished at 2008-08-09 21:59:22 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 20:57:04
Records in database: 1076085
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\

Scan statistics:
Files scanned: 26399
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:41:27


File name / Threat name / Threats count
C:\WINDOWS\agpqlrfm.exe Infected: Trojan.Win32.Vapsup.ity 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 10 August 2008 - 09:43 AM

Hi,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1 for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.

Click here to get Service Pack 1

Warning: You must only update to Service Pack 1, and not Service Pack 2. Doing this before your computer is clean can cause Windows to become unstable. We will update to SP2 after the log is clean.

After you have updated your computer to SP1, please restart your computer and post a new HJT log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 10 August 2008 - 11:03 AM

Hi,

The link you gave took me to SP3. I then went to find SP1 on MS website and it also redirected me to SP3 as soon as I clicked on the SP1 download link. Should I go ahead and update to SP3?

FYI, I discovered automatic updates was disabled under Services.msc and fixed that. Am installing other security updates. It also wanted me to install SP2 but I have not done so per your instructions.

Thanks,

Julie

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 10 August 2008 - 11:10 AM

Hi,

If it gives you SP3, don't update yet then. You can update afterwards.

So make sure no updates are currently running and perform next:

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 10 August 2008 - 02:09 PM

Hello,

I did the combofix and recovery console (used link to MS cd boot for original release). Please see combofix and hijackthis logs.

I hope it worked!

Thanks,
Julie



ComboFix 08-08-09.06 - Admin 2008-08-10 14:46:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.129 [GMT -4:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL
C:\Documents and Settings\All Users\Application Data\SecuriSoft SARL\WinSpywareProtect\LOG\20080719163633724.log
C:\WINDOWS\evgratsm.dll
C:\WINDOWS\kvxqmtre.dll
C:\WINDOWS\system32\flgqfrtm.ini
C:\WINDOWS\system32\GNXEKkkj.ini
C:\WINDOWS\system32\GNXEKkkj.ini2
C:\WINDOWS\system32\jbmjhrrt.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\usxftyiq.ini
C:\WINDOWS\system32\vyrstosb.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-10 12:04 . 2002-11-14 15:42 218,624 --a------ C:\WINDOWS\system32\srrstr.dll
2008-08-10 12:04 . 2002-11-14 15:42 218,624 -----c--- C:\WINDOWS\system32\dllcache\srrstr.dll
2008-08-10 12:02 . 2008-08-10 12:11 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-08-10 12:02 . 2003-08-02 00:14 25,600 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-08-09 21:55 . 2008-08-09 21:55 <DIR> d-------- C:\Deckard
2008-08-09 13:59 . 2008-08-09 13:59 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-09 13:59 . 2008-08-09 13:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 13:59 . 2005-04-15 20:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-09 13:47 . 2008-08-09 14:40 <DIR> d-------- C:\Program Files\a-squared Free
2008-08-02 09:32 . 2008-08-02 09:32 <DIR> d-------- C:\Program Files\Mp3 My Mp3 2.0
2008-08-02 09:26 . 2008-08-02 09:26 <DIR> d-------- C:\Program Files\Audacity
2008-08-02 09:12 . 2008-08-02 09:12 <DIR> d-------- C:\Program Files\XAudioTools
2008-07-31 14:27 . 2008-07-31 14:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-07-27 11:53 . 2008-07-28 00:20 <DIR> d-------- C:\WINDOWS\privacy_danger
2008-07-27 10:14 . 2008-07-27 10:14 <DIR> d---s---- C:\Documents and Settings\Admin\UserData
2008-07-27 10:11 . 2008-07-27 10:11 <DIR> d-------- C:\Program Files\Belkin
2008-07-19 16:36 . 2008-07-19 10:35 102,400 --a------ C:\WINDOWS\agpqlrfm.exe
2008-07-18 18:06 . 2008-07-18 18:06 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
2008-07-16 15:07 . 2008-07-16 15:16 374 --a------ C:\WINDOWS\bgssb3.ini
2008-07-16 15:07 . 2008-07-16 15:20 177 --a------ C:\WINDOWS\bgsdatatemp.INI
2008-07-16 15:07 . 2008-07-16 15:16 138 --a------ C:\WINDOWS\gamesystem.ini
2008-07-14 10:47 . 2008-07-14 10:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-14 10:34 . 2008-07-14 10:34 <DIR> d-------- C:\Program Files\CyberLink
2008-07-13 09:37 . 2008-07-13 09:37 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-12 23:33 . 2008-07-12 23:33 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 16:03 --------- d-----w C:\Program Files\MSXML 4.0
2008-08-10 15:38 --------- d-----w C:\Program Files\Java
2008-08-07 02:36 --------- d-----w C:\Program Files\Cheat Engine
2008-07-27 14:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-18 22:07 21,419 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-07-13 13:38 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-13 13:37 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-28 15:42 --------- d-----w C:\Documents and Settings\Maya\Application Data\Talkback
2008-06-19 23:42 --------- d-----w C:\Program Files\AVG
2008-06-19 23:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-17 22:15 --------- d-----w C:\Program Files\Common Files\SourceTec
2008-06-17 22:14 --------- d-----w C:\Program Files\SourceTec
2008-06-17 21:23 --------- d-----w C:\Program Files\Paint.NET
2008-06-17 21:05 --------- d-----w C:\Program Files\Reference Assemblies
2008-06-17 21:05 --------- d-----w C:\Program Files\MSBuild
2008-06-17 21:00 --------- d-----w C:\Program Files\MSXML 6.0
2008-06-17 02:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-17 02:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-14 23:50 --------- d-----w C:\Program Files\LimeWire
2008-06-14 21:39 --------- d-----w C:\Program Files\Common Files\Java
2008-06-14 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-14 19:54 --------- d-----w C:\Program Files\Viewpoint
2008-06-14 19:54 --------- d-----w C:\Program Files\AIM6
2008-06-14 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-14 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\acccore
2008-06-14 19:53 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-14 19:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-12 01:34 --------- d-----w C:\Program Files\HP
2008-06-12 01:34 --------- d-----w C:\Program Files\Hewlett-Packard
2008-06-12 01:34 --------- d-----w C:\Program Files\Common Files\HP
2008-06-12 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\HP
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2005-08-18 07:41 749568]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12 49152]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-13 09:38 1232152]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Belkin F5D8053 N Wireless USB Adapter Utility.lnk - C:\Program Files\Belkin\F5D8053\Belkinwcui.exe [2007-09-17 18:15:30 1732608]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\System32\Drivers\avgldx86.sys [2008-07-13 09:37]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-13 09:38]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-13 09:38]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\System32\Drivers\avgtdix.sys [2008-07-13 09:38]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 17:38]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\System32\DRIVERS\rt2870.sys [2007-07-28 14:50]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys []
.
- - - - ORPHANS REMOVED - - - -

BHO-{526E77D2-4402-4D65-BA6B-F7542B9011E7} - C:\WINDOWS\System32\jkkKEXNG.dll
BHO-{6e0f4d8a-fe5d-42d7-b421-6905b85a27af} - C:\WINDOWS\System32\worcnd.dll
HKLM-Run-2c853f44 - C:\WINDOWS\System32\mtrfqglf.dll
SSODL-evgratsm-{B709355A-46E5-4EFA-9862-1835B1D8B7E9} - C:\WINDOWS\evgratsm.dll
Notify-hgGwUoNE - hgGwUoNE.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Admin\Application Data\Mozilla\Firefox\Profiles\bj0oib1i.default\


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-10 14:51:16
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\wbem\wmiadap.exe
.
**************************************************************************
.
Completion time: 2008-08-10 14:53:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-10 18:53:30

Pre-Run: 30,182,789,120 bytes free
Post-Run: 30,100,135,936 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

148 --- E O F --- 2008-08-10 16:11:43


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:56:55 PM, on 8/10/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mediasportal2008.com/phandler.php?s...aid=0&pid=2
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 3637 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 10 August 2008 - 02:23 PM

Hi,

This is much better...

navigate to and delete the following file and folder:

C:\WINDOWS\agpqlrfm.exe <== file
C:\WINDOWS\privacy_danger <== folder

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Also,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Reboot afterwards.

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 11 August 2008 - 08:54 AM

Hi,

I was not able to delete privacy_danger folder. I tried to rename it, reboot with internet disabled, change properties by unchecking read only box, etc. but it kept saying Access Denied.

I did all the other things including uninstalling combofix. How can I delete this stubborn folder??

Thanks so much,
Julie

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 11 August 2008 - 11:57 AM

That's strange. Is there anything still inside that folder?

Can you redownload and run Combofix again and post the log? Because I want to be sure that nothing got installed in a meanwhile...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 11 August 2008 - 12:38 PM

When I put my mouse over the folder it says it's empty, but I'm not sure if I trust that or not. It initially acted like it was deleting when I first tried to delete the folder, but there was nothing in my recycle bin. I also cannot open the folder, I get the same Access Denied error (write protected, full disk)

I'm at work right now, but I'll run combofix tonight and send to you. I do appreciate all your help.. thank you.

Julie

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 11 August 2008 - 12:55 PM

Ok, I read you later :thumbsup:

But as I reread, there's no need to redownload Combofix again though. I'm pretty sure that the infection is gone here. And as you say, it's the folder itself which you can't even open, write protected.
In that case, follow the instructions posted here for that folder:

how to take ownership of a file or a folder where you have been denied access:
http://support.microsoft.com/default.aspx?...421&sd=tech

Edited by miekiemoes, 11 August 2008 - 01:01 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 11 August 2008 - 08:27 PM

Hello miekiemoes,

I was able to take ownership of that folder and delete it. It did have subfolders of the image of the red screen! I deleted from recycle bin too. Thanks for that information. Very valuable.

I redid hijack this log for you to review. (Note I went to my son's user side and his clock is still military and there is a virus alert! next to the clock.)

I also tried to uninstall AVG 2008 antivirus and it would not let me. I wonder if it is infected or just due to older windows.

Thanks!
Julie



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:21: VIRUS ALERT!, on 8/11/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://youtube.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [InstallProgram] C:\DOCUME~1\andrew\LOCALS~1\Temp\smchk.exe
O4 - Global Startup: Belkin F5D8053 N Wireless USB Adapter Utility.lnk = C:\Program Files\Belkin\F5D8053\Belkinwcui.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\npjpi160_07.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

--
End of file - 3353 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 12 August 2008 - 12:05 AM

Hi,

(Note I went to my son's user side and his clock is still military and there is a virus alert! next to the clock.)


To fix that, read my blogpost here: http://miekiemoes.blogspot.com/2008/05/vir...to-restore.html

Also, check and fix next leftovers in HijackThis:

O4 - HKCU\..\Run: [InstallProgram] C:\DOCUME~1\andrew\LOCALS~1\Temp\smchk.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present


For your AVG, what error do you get when you try to uninstall it?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 12 August 2008 - 10:56 AM

Hi,

On the AVG, I got a message that stated we didn't have the right operating system to install AVG (even though I was trying to uninstall) and to go to their website.

A little more history to help you understand: This computer is about 6 yrs old and we clean installed for our son a few months ago. I thought we updated to SP2 when we did this. So, I talked to my son (14 yrs old) last night and he took it upon himself to get rid of SP2 due to slowing the computer down, There could be the whole issue!

My goal was to uninstall AVG and try Avast since AVG resident shield was grayed out...though now I don't know if his computer will allow newer programs if we dont' update the service pack. My son was adamant that going to SP3 would be even worse. Any help on convincing him to keep SP2 or going to SP3 is greatly appreciated as well as sorting this out!

Thank you again,
Julie

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:01:17 AM

Posted 12 August 2008 - 11:17 AM

Hi,

Yes, that could be possible that AVG8 won't run as long as this version of Windows is not updated and needs at least SP1.
And from the AVG site:

AVG only runs on Windows 2000 SP4 + Update Rollup 1, Windows XP SP2, Windows XP Pro x64 Edition SP1 and Windows Vista/Vista x64 Edition or higher.

So minimum requirements are SP2.

This is the same for some other security scanners, for example, Kaspersky won't install on computers when no service packs are present.
The service packs (security updates) are really needed! Without service packs, this computer can get infected immediately again. As a matter of fact, the updates give more reliability and performance.
http://www.microsoft.com/windows/downloads...e/overview.mspx

In anyway, without the updates, it won't be long before this computer will be infected again and malware slows down the computer even more + it damages + it steals important info from your system etc etc.. So the choice shouldn't be that hard to make though.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 cougar1rose

cougar1rose
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Massachusetts, USA
  • Local time:08:17 PM

Posted 13 August 2008 - 08:46 AM

Hello miekiemoes,

I did the hijackthis fixes and clock is fixed too. I even checked product ID in regedit and it was fine! Yeah! :thumbsup:

Again, thank you so much for all of your assistance. I will get his computer updated. Is there anything else I need to do or are we good to go?

Warmest regards,
Julie L.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users