Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected trojan


  • This topic is locked This topic is locked
7 replies to this topic

#1 margiemorgan

margiemorgan

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 11 January 2009 - 04:40 PM

Running Vista and internet connection has become very slow to load. I am getting no pop-ups and my internet pages do not get hijacked. I ran Spybot and it gave a warning that I had a trojan but I accidentally told it to ignore. Now I can't find it anywhere. Tried installing and uninstalling Spybot but trojan still does not show up. Downloaded Avira and it found lots of suspected files which I deleted. Before that I was using AVG and it caught nothing. I removed it and now am going with Avira.

Please tell me what I need to delete if anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:28:39 PM, on 1/11/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Windows\System32\jureg.exe
C:\Windows\system32\schtasks.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
C:\Windows\ehome\ehmsas.exe
l:\Margie's Stuff\HiJackThis.exe
C:\hp\kbd\kbd.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [SunJavaUpdateReg] "C:\Windows\system32\jureg.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [PCDrProfiler] C:\Program Files\PC-Doctor 5 for Windows\RunProfiler.exe -r
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Snapfish Media Detector.lnk = C:\Program Files\Snapfish Picture Mover\SnapfishMediaDetector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://warren-yazoo.net/XTSAC.cab
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9241 bytes

BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:19 AM

Posted 22 January 2009 - 05:22 PM

Hello Margiemorgan,

Please do a scan with Kaspersky Online Scanner

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Please post back with the Kaspersky report and the ComboFix log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 26 January 2009 - 04:02 PM

Will do. Thanks.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:19 AM

Posted 26 January 2009 - 05:03 PM

Hello Margiemorgan,

Please don't forget to post both logs in your reply,
so I can check if any further steps are needed. :thumbsup:

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 27 January 2009 - 10:43 PM

Combo log:

ComboFix 09-01-21.04 - Margie 2009-01-27 21:28:02.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1029 [GMT -6:00]
Running from: c:\users\Margie\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-27 21:09 . 2009-01-27 21:22 <DIR> d-------- c:\program files\combo fix
2009-01-27 21:00 . 2009-01-27 21:00 <DIR> d-------- c:\users\All Users\WinZip
2009-01-27 21:00 . 2009-01-27 21:00 <DIR> d-------- c:\programdata\WinZip
2009-01-26 17:31 . 2009-01-26 17:31 237,568 --a------ c:\windows\System32\rmc_rtspdl.dll
2009-01-26 17:31 . 2009-01-26 17:31 156,672 --a------ c:\windows\System32\rmc_fixasf.exe
2009-01-26 17:30 . 2009-01-26 17:30 323,584 --a------ c:\windows\System32\AUDIOGENIE2.DLL
2009-01-26 17:27 . 2009-01-26 17:27 <DIR> d-------- c:\windows\Replay Media Catcher
2009-01-26 17:27 . 2009-01-26 17:31 <DIR> d-------- c:\program files\Replay Media Catcher
2009-01-13 18:53 . 2008-12-15 20:42 288,768 --a------ c:\windows\System32\drivers\srv.sys
2009-01-11 10:42 . 2009-01-11 10:42 <DIR> d-------- c:\users\All Users\Avira
2009-01-11 10:42 . 2009-01-11 10:42 <DIR> d-------- c:\programdata\Avira
2009-01-11 10:42 . 2009-01-11 10:42 <DIR> d-------- c:\program files\Avira
2009-01-10 21:23 . 2009-01-25 18:21 <DIR> d-------- c:\users\Lindsey\AppData\Roaming\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 08:29 --------- d-----w c:\programdata\Google Updater
2009-01-26 01:11 --------- d---a-w c:\programdata\TEMP
2009-01-23 01:09 --------- d-----w c:\users\Lindsey\AppData\Roaming\LimeWire
2009-01-18 09:02 --------- d-----w c:\program files\Windows Mail
2009-01-16 00:31 --------- d-----w c:\program files\Google
2009-01-12 19:21 --------- d-----w c:\programdata\Spybot - Search & Destroy
2009-01-11 21:04 --------- d-----w c:\programdata\avg8
2009-01-11 16:03 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-28 00:46 --------- d-----w c:\programdata\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-28 00:46 --------- d-----w c:\program files\iTunes
2008-11-28 00:46 --------- d-----w c:\program files\iPod
2008-11-28 00:46 --------- d-----w c:\program files\Common Files\Apple
2008-11-28 00:45 --------- d-----w c:\program files\Bonjour
2008-11-28 00:44 --------- d-----w c:\program files\QuickTime
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-09-25 01:14 122,128 ----a-w c:\users\Lindsey\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-09-23 11:07 174 --sha-w c:\program files\desktop.ini
2008-05-02 00:50 59,782,440 ----a-w c:\users\Lindsey\iTunesSetup.exe
2008-04-18 01:30 12,708,096 ----a-w c:\users\Lindsey\MediaJukebox12.exe
2008-04-18 00:31 4,506,256 ----a-w c:\users\Lindsey\LimeWireWin(4).exe
2008-04-18 00:30 4,506,256 ----a-w c:\users\Lindsey\LimeWireWin(3).exe
2008-04-18 00:23 4,506,256 ----a-w c:\users\Lindsey\LimeWireWin(2).exe
2008-02-19 01:41 2,924,848 ----a-w c:\users\Lindsey\LimeWireWin-full.exe
2008-02-19 01:15 4,506,256 ----a-w c:\users\Lindsey\LimeWireWin.exe
2008-02-07 00:05 122,128 ----a-w c:\users\Chris\AppData\Roaming\GDIPFONTCACHEV1.DAT
2008-01-30 14:01 552,504 ----a-w c:\users\Chris\Blackglass.exe
2008-01-23 00:57 122,128 ----a-w c:\users\Margie\AppData\Roaming\GDIPFONTCACHEV1.DAT
2007-12-13 00:57 3,381,280 ----a-w c:\users\Margie\LimeWireWin.exe
2007-11-29 20:20 318,904 ----a-w c:\users\Chris\wmpfirefoxplugin(4).exe
2007-11-29 20:19 318,904 ----a-w c:\users\Chris\wmpfirefoxplugin(3).exe
2007-11-29 20:19 318,904 ----a-w c:\users\Chris\wmpfirefoxplugin(2).exe
2007-11-27 23:58 318,904 ----a-w c:\users\Chris\wmpfirefoxplugin.exe
2007-11-26 22:24 3,380,048 ----a-w c:\users\Chris\LimeWireWin.exe
2007-11-13 00:52 265,776 ----a-w c:\users\Lindsey\BlubsterSetup.exe
2007-11-02 01:21 178 ----a-w c:\users\Chris\AppData\Roaming\wklnhst.dat
2007-10-23 19:37 128,352 ----a-w c:\users\Margie\Download_dvdripper102at.exe
2007-10-23 19:00 13,780,488 ----a-w c:\users\Margie\RealPlayer11BETA.exe
2008-11-28 00:40 67,696 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-11-28 00:40 54,376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-11-28 00:40 34,952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-11-28 00:40 46,720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-11-28 00:40 172,144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-03-09 07:12 27,648 --sha-w c:\windows\System32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-20 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\hp\KBD\KbdStub.EXE" [2006-12-08 65536]
"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2007-02-15 118784]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-05-24 71176]
"SunJavaUpdateReg"="c:\windows\system32\jureg.exe" [2008-02-22 54672]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-11 185896]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-22 13539872]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-22 92704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RtHDVCpl"="RtHDVCpl.exe" [2008-01-15 c:\windows\RtHDVCpl.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"PCDrProfiler"="c:\program files\PC-Doctor 5 for Windows\RunProfiler.exe" [2007-04-05 73728]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-04-03 44168]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Snapfish Media Detector.lnk - c:\program files\Snapfish Picture Mover\SnapfishMediaDetector.exe [2007-05-07 1273856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= c:\progra~1\REPLAY~2\iac25_32.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{34EFA22E-1FE7-4CD5-ABF3-84E9ADD472FE}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{AD875C0A-C29F-44DB-BF0B-8B6C7E1516BF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{41CBD1FD-7DAB-44D4-B7D2-D1B491918AF0}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{7F4AAE13-EBD9-4C83-9F05-00B91941B363}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{2ACD9B2B-E487-4C93-BA99-209C363D634B}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{D0B87599-1B3B-4F1D-948F-827A9C4DD8BF}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{C795BB72-E418-40DE-BBDD-87BC6F95DB0E}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{51499A15-AB29-4E98-A1FA-935070A37557}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{53A54353-331E-4B9F-808A-4B26C35817E9}"= UDP:c:\users\Margie\limewire\LimeWire.exe:LimeWire
"{DC8FBA95-6C6F-450F-948C-7E3A2D9D07E7}"= TCP:c:\users\Margie\limewire\LimeWire.exe:LimeWire
"{65D184F7-AE8F-4168-9D4E-F61DF53FB676}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{83249064-9CB4-4A46-838B-F52310D50D7D}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{F1D18EE2-DFA1-4FE2-B9EE-DE1D4B9BCDA6}"= UDP:k:\lindsey's stuff\LimeWire\LimeWire.exe:LimeWire
"{48782644-084D-4DE4-9081-DEABBF219814}"= TCP:k:\lindsey's stuff\LimeWire\LimeWire.exe:LimeWire
"{280D62D1-38A1-4533-8F27-B0E4732BCA5F}"= UDP:k:\limewire\LimeWire.exe:LimeWire
"{CFAD9997-A58F-4387-8536-1C6E02D22CED}"= TCP:k:\limewire\LimeWire.exe:LimeWire
"{8CBD5166-AB93-4160-BE20-43D6FEBD5A8E}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"{754AB971-AA28-4183-8BC2-4D318B578371}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{8A69049C-8E90-4E4D-998E-70B4646958C2}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{2EFCDF80-F9C8-44C6-8720-A4930EE4BE26}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{E32E34A2-4724-4B0D-BF5C-84E09305E2CA}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{0B956637-DD8E-4A6C-8D6E-5C932A6659B0}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{3B5B549D-9BA5-4049-8F54-E2DAA33F536F}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{32DFC0D3-1516-4124-BFED-BADA0F84A8E4}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{475E9AFE-0778-4588-913E-54E6A9430CD8}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7585DD53-BA83-40F9-9B10-6EFCE933B623}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DisableNotifications"= 1 (0x1)

R3 netr73;Linksys Compact Wireless-G USB Adapter Driver for Vista;c:\windows\System32\drivers\WUSB54GCx86.sys [2008-04-26 256000]
R4 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-11 809296]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [2007-01-25 42000]
S3 RS1000;RS1000.SYS RS-1000 device driver;c:\windows\System32\drivers\RS1000.sys [2007-12-10 25628]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\shell\AutoRun\command - J:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d97ae1a-7e92-11dc-b9c3-001bb98c59a8}]
\shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-28 c:\windows\Tasks\HPCeeScheduleForLindsey.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-17 17:55]

2008-12-30 c:\windows\Tasks\HPCeeScheduleForMargie.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-05-17 17:55]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} - hxxps://warren-yazoo.net/XTSAC.cab
FF - ProfilePath - c:\users\Margie\AppData\Roaming\Mozilla\Firefox\Profiles\875ou4i4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.allow_platform_file_picker", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.hideGoButton", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("signon.prefillForms", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.remoteLookups", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.updateURL", "http://sb.google.com/safebrowsing/update?client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.lookupURL", "http://sb.google.com/safebrowsing/lookup?sourceid=firefox-antiphish&features=TrustRank&client={moz:client}&appver={moz:version}&");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.safebrowsing.provider.0.reportURL", "http://sb.google.com/safebrowsing/report?");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 21:29:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-27 21:32:09
ComboFix-quarantined-files.txt 2009-01-28 03:32:06

Pre-Run: 268,485,304,320 bytes free
Post-Run: 268,790,784,000 bytes free

202 --- E O F --- 2009-01-26 16:00:17




KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 27, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, January 28, 2009 00:52:15
Records in database: 1714226
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
L:\

Scan statistics:
Files scanned: 5902
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:08:26


File name / Threat name / Threats count
L:\gotta be somebody - greatest hits.wma Infected: Trojan-Downloader.WMA.Wimad.n 1

The selected area was scanned.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:19 AM

Posted 28 January 2009 - 04:44 AM

Hello Margiemorgan,

Your log looks quite good now. :thumbsup:

Navigate, using Windows Explorer, to and delete the following folders and files if still present:L:\gotta be somebody - greatest hits.wma <== file
If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 margiemorgan

margiemorgan
  • Topic Starter

  • Members
  • 95 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 28 January 2009 - 09:29 PM

No problems deleting file. I knew there was something hiding but I did not know about using Kaspersky to find it.

Thanks for all your help!

Margie

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:06:19 AM

Posted 29 January 2009 - 06:10 AM

Glad wec ould help, Margie :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users