Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows XP virus/trojan/worm/spyware?


  • This topic is locked This topic is locked
5 replies to this topic

#1 jhill1229

jhill1229

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 03 February 2009 - 01:39 PM

I am helping a work associate with his computer. His laptop is a Dell Vostro 1000 using Windows XP/SP2. The primary problem started out as an infection of System Guard 2009. I have run his Avast Anti-virus, Spybot, SpywareBlaster, Windows Defender, and Avast Virus Cleaner. These all find and report to fix problems but they reappear on restart. I have tried to run Trend Micro Housecall, but it will not complete. Neither will Ewido online scan. At this point, I don't know what else to do except post a HJT log. May I do so here? I also ran a DDS scan per your intructions.


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Administrator at 12:30:49.14 on Tue 02/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.584 [GMT -6:00]

AV: avast! antivirus 4.8.1296 [VPS 090202-1] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
svchost.exe c:\windows\temp\vrt1.tmp
svchost.exe c:\windows\temp\vrt6.tmp
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ctfmon.exe
C:\WINDOWS\system32\frmwrk32.exe
svchost.exe c:\windows\temp\vrt9.tmp
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe c:\windows\temp\vrtc.tmp
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\Explorer.EXE
c:\documents and settings\administrator\desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Reader Link Helper: {b782ede4-ccb3-4e3e-981f-96c68116f38c} - c:\windows\system32\AcroIEHelpe.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [Framework Windows] frmwrk32.exe
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
dRun: [services] align="middle">
mExplorerRun: [services] align="middle">
dExplorerRun: [services] align="middle">
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/F/D/9/FD9E437D-5BC8-4264-A093-DFA2C39D197E/LegitCheckControl.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.gamehouse.com/games/GoBitGamesPlayer.cab
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://www.gamehouse.com/games/zylom/zylomplayer.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ljJBrppQ

============= SERVICES / DRIVERS ===============

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-2-1 111184]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-2-1 20560]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-2-1 155160]
S2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service --> c:\windows\system32\lxczcoms.exe -service [?]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-2-1 254040]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-2-1 352920]
S3 protect;protect;c:\windows\system32\drivers\protect.sys [2009-2-2 18944]

=============== Created Last 30 ================

2009-02-03 12:25 1,347 a------- c:\windows\system32\ahtn.htm
2009-02-03 12:25 4,785 a------- c:\windows\system32\warning.gif
2009-02-03 12:25 142,848 a------- c:\windows\system32\ntdll64.exe
2009-02-03 12:25 1 a------- c:\windows\system32\uniq.tll
2009-02-03 12:25 43,520 a------- c:\windows\system32\frmwrk32.exe
2009-02-02 21:47 37,376 a------- c:\windows\services.exe
2009-02-02 21:47 80 a------- c:\windows\file.bat
2009-02-02 21:47 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-02-02 21:47 64,512 a------- c:\windows\system32\idaw64.exe
2009-02-02 21:47 61,440 a------- c:\windows\system32\3.tmp
2009-02-02 21:38 80,160 a------- c:\windows\system32\AcroIEHelpe.dll
2009-02-02 21:14 161,280 a------- c:\program files\vcleaner.exe
2009-02-02 21:12 5 a------- c:\windows\_id.dat
2009-02-02 21:12 124 a------- c:\windows\adobe.bat
2009-02-02 21:11 64,512 a------- c:\windows\system32\pdbcopy.exe
2009-02-02 13:30 136 a------- c:\windows\system32\srvblck.tmp
2009-02-02 13:30 <DIR> --d----- c:\windows\system32\dtw5d
2009-02-02 13:30 <DIR> --d----- c:\windows\system32\cks
2009-02-02 13:28 <DIR> --d----- c:\windows\system32\UAs
2009-02-02 12:50 997,888 ac------ c:\windows\system32\dllcache\kernel32.dll
2009-02-02 12:50 21,504 ac------ c:\windows\system32\dllcache\powrprof.dll
2009-02-02 12:50 997,888 a------- c:\windows\system32\nwklr.ini
2009-02-02 12:50 989,696 a------- c:\windows\system32\korlg.ini
2009-02-02 12:50 850,944 a------- c:\windows\system32\nwwlnt.ini
2009-02-02 12:50 826,368 a------- c:\windows\system32\worlg.ini
2009-02-02 12:50 21,504 a------- c:\windows\system32\nwpp.ini
2009-02-02 12:50 17,408 a------- c:\windows\system32\pporlg.ini
2009-02-02 12:50 21,568 a------- c:\windows\system32\ldshyr.old
2009-02-02 11:21 23,510,720 a------- c:\program files\dotnetfx.exe
2009-02-02 08:50 <DIR> --d----- c:\program files\StartupTracker3
2009-02-02 08:50 40,094 a------- c:\program files\StartupTracker3.zip
2009-02-02 00:23 <DIR> --d----- c:\windows\SxsCaPendDel
2009-02-01 22:22 30,363,016 a------- c:\program files\setupeng.exe
2009-01-31 15:43 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-01-31 15:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-31 15:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-31 15:43 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-31 15:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-31 15:42 2,737,800 a------- c:\program files\mbam-setup.exe
2009-01-31 15:12 134,144 a------- c:\windows\ilimagabobi.dll
2009-01-31 14:39 <DIR> --d----- c:\program files\Trend Micro
2009-01-31 12:37 0 a------- c:\windows\mqcd.dbt
2009-01-31 12:36 40,448 a------- C:\wgqjqf.exe
2009-01-31 12:36 103,424 a------- C:\nwurjr.exe
2009-01-31 12:36 32,768 a------- c:\windows\system32\rer.wa
2009-01-31 12:36 28,672 a------- c:\windows\system32\do8d.sr
2009-01-31 12:36 32,768 a------- c:\windows\system32\qzhr1.ant
2009-01-31 12:36 28,672 a------- c:\windows\system32\dedwf.lp
2009-01-31 12:36 77,312 a------- c:\windows\system32\re3d.pf
2009-01-31 12:36 2 a------- C:\-1262226730
2009-01-31 12:36 111,104 a------- c:\windows\system32\azton.mt
2009-01-31 12:36 132,608 a------- C:\mruvkcm.exe
2009-01-31 12:22 <DIR> --d----- c:\documents and settings\administrator\.housecall6.6
2009-01-31 12:19 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-31 11:27 <DIR> --d----- c:\documents and settings\Administrator
2009-01-31 09:16 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-31 09:16 142,848 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-31 09:15 1 a------- c:\windows\system32\test.ttt
2009-01-31 09:15 43,520 a------- c:\windows\system32\998.exe
2009-01-30 12:37 120 a--sh--- c:\windows\system32\sirvcclu.ini
2009-01-29 12:32 120 a--sh--- c:\windows\system32\hdsidmmh.ini
2009-01-29 09:49 120 a--sh--- c:\windows\system32\ecjycqkg.ini
2009-01-28 09:47 120 a--sh--- c:\windows\system32\pphfjrlh.ini
2009-01-27 09:10 4 a------- c:\windows\hxdxibsz
2009-01-27 09:05 269 a------- c:\windows\wininit.ini
2009-01-27 08:26 62,976 a------- c:\windows\system32\chert5-998.exe
2009-01-27 02:00 120 a--sh--- c:\windows\system32\kfqhopqy.ini
2009-01-27 01:59 304,640 a------- c:\windows\system32\ljJBrppQ.dll.vir
2009-01-09 14:52 2,869,536 a------- c:\program files\spywareblastersetup41.exe

==================== Find3M ====================

2009-02-02 13:21 5,154,304 a------- c:\program files\WindowsDefender.msi
2009-02-02 12:50 850,944 a------- c:\windows\system32\wininet.dll
2009-02-02 12:50 21,504 a------- c:\windows\system32\powrprof.dll
2009-01-31 12:36 578,560 a------- c:\windows\system32\user32.DLL
2009-01-31 09:16 142,848 a------- c:\windows\system32\userinit.exe
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-05-18 21:12 690,344 a------- c:\program files\ccsetup206_slim.exe
2008-04-11 09:01 14,781 a------- c:\program files\aframe clt.pdf
2008-04-08 10:03 450,114 a------- c:\program files\RegSeeker.zip
2008-04-08 09:33 9,722,720 a------- c:\program files\spybotsd152.exe
2008-03-04 12:26 23,454,528 a------- c:\program files\AdbeRdr812_en_US.exe
2008-05-17 11:42 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051720080518\index.dat

============= FINISH: 12:31:08.17 ===============

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:26 AM

Posted 03 February 2009 - 02:53 PM

Hello jhill1229,

Since this is a company computer it would be best to have your IT department handle this. We don't want to go against any policies that might be in place, and it's what they get paid to do. We don't as volunteers.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 jhill1229

jhill1229
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 03 February 2009 - 05:20 PM

Let me clarify that this is a work associates personal laptop. He knows that I am able to make my way through most computer repairs and fixes, so he has asked for my help many times. I volunteer my time doing this because he is a friend, and I enjoy working on this type of thing. This time though, I'm stuck. Any help is much appreciated.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:26 AM

Posted 04 February 2009 - 08:55 AM

Hello,

Thank you for clarifying. :)

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Please disable any protection programs you might have running. They tend not to like some of the necessary files included in ComboFix. :thumbup2:

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 jhill1229

jhill1229
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:26 PM

Posted 05 February 2009 - 12:05 PM

Hello Tea,

Thank you for the reply and advice. I decided to try a clean repair/install first. I will come back to the combo fix and posting if that doesn't take care of the problem.

Kind regards.

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:26 AM

Posted 05 February 2009 - 12:07 PM

Since this issue appears resolved ... this Topic is closed.



If you need help in the future, please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users