Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Please With Virus


  • This topic is locked This topic is locked
3 replies to this topic

#1 LoneIWolf

LoneIWolf

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 05 January 2009 - 01:53 PM

I have been having some trouble with a trojan Kaspersky antivirus has detected. It keep's "deleting" it but it never goes, and am having little luck deleting the files manually. It has spread onto my memorystick, creating an autorun so when you double click on the filepath in my computer it runs. I thought it was deleted from my memorystick as kaspersky sad it had deleted it but a network in my workplace detected it, I hope it isn't infected. Mozilla firefox 3.1 beta 2 seems to have adware now, redirecting some selected links in google to other sites. Two files are in localsettings / temp folder.

I have run hijack this from trend micro and have the following log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:59:15, on 05/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\FrostWire\FrostWire.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.alienware.co.uk/Mothership?Comp=AWEU&SysCode=PC-EU-LT-AR51M7700R1&ai=636E3D4532323130383026706F3D504F2D45353737383141
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1220637149984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1221762830937
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: wbsys.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~1\KASPER~1\KASPER~1\mzvkbd3.dll,C:\PROGRA~1\KASPER~1\KASPER~1\adialhk.dll,C:\PROGRA~1\KASPER~1\KASPER~1\kloehk.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Borland Software Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: lxdeCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdeserv.exe
O23 - Service: lxde_device -   - C:\WINDOWS\system32\lxdecoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7530 bytes

Kaspersky has noted vulnerabilitys in some programs, but have had no luck in removing them. For example, Adobe air apparently had a vulnerability so I went onto adobes site tried to install but the installer said I already had the most recent version installed, maybe the trojan opening back doors. I also have a removeable hard drive which I suspect may also contain the virus, and that is unfortunately where I have all of my work backed up.
In mozilla firefox kaspersky finds iamfamous.dll and a rootkit in my computers temporary files.

Any help will be greatly appreciated. Thanks, L.W.

edit:

Forgot to add this.

DDS (Version 1.1.0) - NTFSx86
Run by owner at 19:38:27.70 on 05/01/2009
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_10
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1055 [GMT 0:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated)
FW: Kaspersky Internet Security *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\lxdecoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\FrostWire\FrostWire.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Documents and Settings\owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.alienware.co.uk/Mothership?Comp=AWEU&SysCode=PC-EU-LT-AR51M7700R1&ai=636E3D4532323130383026706F3D504F2D45353737383141
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2009\ievkbd.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [CHotkey] mHotkey.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2009\avp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: Add to Banner Ad Blocker - c:\program files\kaspersky lab\kaspersky internet security 2009\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky internet security 2009\SCIEPlgn.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: klogon - c:\windows\system32\klogon.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: wbsys.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\tah8cvry.default\
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\tah8cvry.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\mozilla firefox 3.1 beta 2\components\iamfamous.dll
FF - plugin: c:\program files\photosynth\npPhotosynthMozilla.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("gfx.color_management.mode", 2);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("gfx.color_management.rendering_intent", 0);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("gfx.downloadable_fonts.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("gfx.downloadable_fonts.enforce_same_site_origin", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("javascript.options.jit.content", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("javascript.options.jit.chrome", false);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("layout.css.visited_links_enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("ui.panel.default_level_parent", false);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("image.cache.size", 5242880);
c:\program files\mozilla firefox 3.1 beta 2\greprefs\all.js - pref("image.cache.timeweight", 500);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.search.sources", 3);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.history", "^");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.tag", "+");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.match.title", "#");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.urlbar.match.url", "@");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.search.cache.enabled", true);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ctrlTab.previews", true);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ctrlTab.recentlyUsedLimit", 7);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("privacy.sanitize.timeSpan", 0);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.swipe.left", "Browser:BackOrBackDuplicate");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.swipe.right", "Browser:ForwardOrForwardDuplicate");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.swipe.up", "cmd_scrollTop");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.swipe.down", "cmd_scrollBottom");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.pinch.out", "cmd_fullZoomEnlarge");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.pinch.in", "cmd_fullZoomReduce");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.pinch.out.shift", "cmd_fullZoomReset");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.pinch.in.shift", "cmd_fullZoomReset");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.twist.right", "Browser:NextTab");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.gesture.twist.left", "Browser:PrevTab");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox 3.1 beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-05 15:44 <DIR> --d----- c:\program files\Trend Micro
2009-01-03 19:59 <DIR> --d----- c:\docume~1\owner\applic~1\SolidWorksExplorer
2009-01-03 05:21 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Speedbit
2009-01-03 05:21 <DIR> --d----- c:\program files\SpeedBit Video Accelerator
2009-01-03 03:15 695,578 a------- c:\windows\system32\unins000.exe
2009-01-03 03:15 65,536 a------- c:\windows\system32\camcodec.dll
2009-01-03 03:15 2,247 a------- c:\windows\system32\unins000.dat
2009-01-03 03:15 1,078 a------- c:\windows\system32\camcodec.ico
2009-01-02 19:54 <DIR> --d----- c:\docume~1\owner\applic~1\wacomid-desktop-launcher.DCFD4B89A63EE70BC162777F06D4B93B6397AEC7.1
2009-01-02 19:52 <DIR> --d----- c:\program files\Bamboo Dock
2008-12-31 20:27 129,784 -------- c:\windows\system32\pxafs.dll
2008-12-31 20:27 9,464 -------- c:\windows\system32\drivers\cdralw2k.sys
2008-12-31 20:27 9,336 -------- c:\windows\system32\drivers\cdr4_xp.sys
2008-12-31 16:49 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-30 16:07 <DIR> --d----- C:\spoolerlogs
2008-12-30 03:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATopSoft
2008-12-29 23:15 <DIR> --d----- c:\docume~1\owner\applic~1\FrostWire
2008-12-29 23:15 <DIR> --d----- c:\program files\FrostWire
2008-12-29 23:01 <DIR> --d----- c:\program files\Microsoft Virtual PC
2008-12-27 17:14 <DIR> --d----- c:\program files\Mozilla Firefox 3.1 Beta 2
2008-12-27 17:08 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE
2008-12-27 16:57 <DIR> -cd-h--- c:\windows\ie8
2008-12-26 21:42 <DIR> --d----- c:\program files\CamStudio
2008-12-25 11:27 <DIR> --d----- c:\docume~1\owner\applic~1\Ambient Design
2008-12-25 11:25 <DIR> --d----- c:\program files\Ambient Design
2008-12-25 11:07 <DIR> --d----- c:\docume~1\owner\applic~1\Bamboo Scribe
2008-12-25 11:01 <DIR> --d----- c:\program files\Bamboo Scribe 2.6
2008-12-25 10:59 <DIR> --d----- c:\program files\Wacom
2008-12-25 10:58 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2008-12-25 10:52 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-25 10:51 14,048 -------- c:\windows\system32\spmsg2.dll
2008-12-25 10:49 319 a------- c:\windows\system32\pentabletdefaults.xml
2008-12-25 09:51 <DIR> --d----- c:\docume~1\owner\applic~1\WTablet
2008-12-25 09:50 1,532,082 -------- c:\windows\system32\PenTablet.znc
2008-12-25 09:50 3,708,200 -------- c:\windows\system32\PenTablet.cpl
2008-12-25 09:50 11,440 a------- c:\windows\system32\drivers\WacomVKHid.sys
2008-12-25 09:50 13,480 a------- c:\windows\system32\drivers\wacomvhid.sys
2008-12-25 09:50 11,312 a------- c:\windows\system32\drivers\wacommousefilter.sys
2008-12-25 09:50 15,144 a------- c:\windows\system32\drivers\wacmoumonitor.sys
2008-12-25 09:50 <DIR> --d----- c:\windows\system32\WTablet
2008-12-25 09:50 181,544 -------- c:\windows\system32\Wintab32.dll
2008-12-25 09:50 128,296 -------- c:\windows\system32\Pen_Tablet.dll
2008-12-25 09:50 3,032,360 -------- c:\windows\system32\Pen_Tablet.exe
2008-12-25 09:50 <DIR> --d----- c:\program files\Tablet
2008-12-21 15:13 268 a---h--- C:\sqmdata08.sqm
2008-12-21 15:13 244 a---h--- C:\sqmnoopt08.sqm
2008-12-20 18:02 <DIR> --dshr-- C:\resycled
2008-12-20 18:02 255 ---shr-- C:\autorun.inf
2008-12-19 23:30 81,920 a------- c:\windows\system32\frapsvid.dll
2008-12-16 20:33 495,104 a------- c:\windows\Not so deep.exe
2008-12-16 20:33 161,078 a------- c:\windows\Not so deep.bmp
2008-12-16 20:33 23,558 a------- c:\windows\Not so deep.ico
2008-12-16 20:33 666 a------- c:\windows\Not so deep.c3
2008-12-16 20:33 666 a------- c:\windows\Not so deep.c1
2008-12-16 20:33 639 a------- c:\windows\Not so deep.c4
2008-12-16 20:33 0 a------- c:\windows\Not so deep.ini
2008-12-16 20:33 1,863,673 a------- c:\windows\Not so deep.swf
2008-12-16 20:33 903,168 a------- c:\windows\Not so deep.scr
2008-12-16 20:33 <DIR> --d----- c:\windows\Not so deep Uninstaller
2008-12-16 20:31 903,680 a------- c:\windows\Pulsing Orb.scr
2008-12-16 20:31 610,162 a------- c:\windows\Pulsing Orb.swf
2008-12-16 20:31 495,104 a------- c:\windows\Pulsing Orb.exe
2008-12-16 20:31 270,398 a------- c:\windows\Pulsing Orb.ico
2008-12-16 20:31 161,078 a------- c:\windows\Pulsing Orb.bmp
2008-12-16 20:31 676 a------- c:\windows\Pulsing Orb.c3
2008-12-16 20:31 676 a------- c:\windows\Pulsing Orb.c1
2008-12-16 20:31 639 a------- c:\windows\Pulsing Orb.c4
2008-12-16 20:31 0 a------- c:\windows\Pulsing Orb.ini
2008-12-16 20:31 <DIR> --d----- c:\windows\Pulsing Orb Uninstaller
2008-12-14 23:05 <DIR> --d----- c:\program files\Photosynth
2008-12-07 20:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ThumbnailCache4R
2008-12-07 20:10 <DIR> --d----- c:\program files\Lexmark Toolbar
2008-12-07 19:43 <DIR> --d-h--- c:\windows\system32\GroupPolicy

==================== Find3M ====================

2009-01-04 18:51 55,974 a------- c:\program files\SolidWorksswxJRNL.BAK
2008-12-26 20:40 5,186,080 a--sh--- c:\windows\system32\drivers\fidbox.dat
2008-12-26 20:40 778,272 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2008-12-26 20:40 41,596 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-26 20:40 3,740 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2008-12-04 19:54 524,288 a------- c:\windows\opuc.dll
2008-11-25 22:38 410,976 a------- c:\windows\system32\deploytk.dll
2008-11-21 21:47 524,288 a------- c:\windows\system32\DivXsm.exe
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:47 120,056 -------- c:\windows\system32\pxcpyi64.exe
2008-11-21 21:47 118,520 -------- c:\windows\system32\pxinsi64.exe
2008-11-21 21:47 43,528 -------- c:\windows\system32\drivers\pxhelp20.sys
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:44 161,096 a------- c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 21:44 12,288 a------- c:\windows\system32\DivXWMPExtType.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-09-28 18:52 43,520 a------- c:\documents and settings\owner\Project1.exe

============= FINISH: 19:39:29.53 ===============


attachment : Attached File  Attach.txt   10.39KB   2 downloads

Edited by LoneIWolf, 05 January 2009 - 02:44 PM.


BC AdBot (Login to Remove)

 


#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:45 PM

Posted 20 January 2009 - 08:11 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Please post the contents of log.txt.
Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.

Edited by suebaby41, 23 January 2009 - 03:18 AM.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 LoneIWolf

LoneIWolf
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:45 AM

Posted 22 January 2009 - 12:41 PM

I ended up working out how to remove the virus myself, and have cleaned all my backups from it, thank you for replying anyway :thumbsup:
Ended up I had to prevent the computer from looking inside the drives when I start up the computer, used command prompt to remove all properties from the file which may prevent it being deleted then deleted it using command prompt.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:11:45 PM

Posted 23 January 2009 - 03:19 AM

I am glad you were able to resolve your computer problem. Thank you for letting me know.

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users