Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PWS.OnlineGames...


  • Please log in to reply
1 reply to this topic

#1 ThorwaldOdinkor

ThorwaldOdinkor

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 11 February 2009 - 12:00 AM

Well, a while ago (coincidentally around the time I got my new flash drive, so I figured it was just something with the drive), my virus scanner (AVG Free Edition) began picking up signs of an infection at a location "C:/autorun.inf", and later "D:/autorun.inf" (my D: drive is the partition with my Windows XP installation, SP2, the other is just for extra storage). I didn't make much note of it.

Recently, my World of Warcraft account has been getting suspensions for "potentially unauthorized access" and things like that, which didn't worry me much until once, after regaining access, I found most of my character's items to be gone. I ran Ad-Aware, Spybot and AVG a number of times, and apparently whatever infection was gone, so I assumed the threat was gone. However, the suspensions have since continued and for the time being, it's permanent. Obviously I want to prevent this in the future, so I want to get rid of this without reformatting my hard drive.

I'm not sure what it does, exactly, I just know that every once in a while my AVG tells me it's detected the infection when accessing a certain file. Asking it to "Heal" the infection apparently does nothing; it will tell me the infection has been healed, and then immediately another, identical warning will pop up. This will occur a few times and then stop.

If it's of any help, I have a dual-boot Ubuntu/XP setup, if the infection could be more easily removed from Ubuntu.

DDS log here:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Stephen at 23:47:42.79 on Tue 02/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.750 [GMT -5:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
D:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
D:\PROGRA~1\Grisoft\AVG7\avgemc.exe
D:\Program Files\Bonjour\mDNSResponder.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
D:\WINDOWS\system32\svchost.exe -k imgsvc
D:\Program Files\Viewpoint\Common\ViewpointService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\PROGRA~1\Grisoft\AVG7\avgcc.exe
D:\WINDOWS\SOUNDMAN.EXE
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\program files\steam\steam.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Pidgin\pidgin.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\OpenOffice.org 2.4\program\soffice.exe
D:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
D:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
D:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
D:\Program Files\VentriloMix\data\Programs\Ventrilo 3.0.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
D:\Program Files\VentriloMix\data\Programs\Ventrilo 3.0.exe
D:\Program Files\Winamp\winamp.exe
D:\Program Files\Last.fm\LastFM.exe
D:\Documents and Settings\Stephen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - d:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - d:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - d:\program files\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - d:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - d:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - d:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IEHlprObj Class: {ce7c3cf0-4b15-11d1-abed-709549c10000} - d:\windows\system32\hgkjghg0.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - d:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - d:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: IEHlprObj Class: {f171a450-7af5-43e1-afed-edc826a1b0f5} - d:\windows\system32\bgotrtu0.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - d:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: &Ticketmaster Insider Toolbar: {fedc2a0f-9ed3-49b8-9aa4-ba7baabe3e8f} - d:\program files\ticketmaster toolbar\etp.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - d:\program files\winamp toolbar\winamptb.dll
TB: DAEMON Tools Toolbar: {32099aac-c132-4136-9e9a-4e364a424e17} - d:\program files\daemon tools toolbar\DTToolbar.dll
uRun: [Skype] "d:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [Steam] "d:\program files\steam\steam.exe" -silent
uRun: [ctfmon.exe] d:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [DAEMON Tools Lite] "d:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [kvasoft] d:\windows\system32\kva8wr.exe
uRun: [Pidgin] d:\program files\pidgin\pidgin.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [AVG7_CC] d:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [amd_dc_opt] d:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [LogitechQuickCamRibbon] "d:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [AppleSyncNotifier] d:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "d:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "d:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "d:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "d:\program files\itunes\iTunesHelper.exe"
mRun: [ArcSoft Connection Service] d:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [AtiPTA] atiptaxx.exe
mRun: [ZoneAlarm Client] "d:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [AVG7_Run] d:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: d:\docume~1\stephen\startm~1\programs\startup\openof~1.lnk - d:\program files\openoffice.org 2.4\program\quickstart.exe
StartupFolder: d:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - d:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
IE: &Winamp Search - d:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - d:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - d:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - d:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
DPF: {040F4385-8DAD-4306-94BF-B8291D841FAE} - hxxp://www.nintendo.com/consumer/systems/wii/en_na/usbaptest.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - d:\program files\yahoo!\common\Yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - d:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - d:\windows\system32\wpdshserviceobj.dll

================= FIREFOX ===================

FF - ProfilePath - d:\docume~1\stephen\applic~1\mozilla\firefox\profiles\0cefioau.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/home.php
FF - plugin: d:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: d:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: d:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: d:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 nvcchflt;NVIDIA Disk Cache Filter Driver;d:\windows\system32\drivers\nvcchflt.sys [2007-10-21 16640]
R1 atitray;atitray;d:\program files\radeon omega drivers\v4.8.442\ati tray tools\atitray.sys [2009-2-2 17952]
R1 Avg7Core;AVG7 Kernel;d:\windows\system32\drivers\avg7core.sys [2007-10-21 821856]
R1 Avg7RsW;AVG7 Wrap Driver;d:\windows\system32\drivers\avg7rsw.sys [2007-10-21 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;d:\windows\system32\drivers\avg7rsxp.sys [2007-10-21 27776]
R1 AvgClean;AVG7 Clean Driver;d:\windows\system32\drivers\avgclean.sys [2007-10-21 10760]
R1 vsdatant;vsdatant;d:\windows\system32\vsdatant.sys [2009-2-10 353680]
R2 aawservice;Lavasoft Ad-Aware Service;d:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R2 Avg7Alrt;AVG7 Alert Manager Server;d:\progra~1\grisoft\avg7\avgamsvr.exe [2007-10-21 418816]
R2 Avg7UpdSvc;AVG7 Update Service;d:\progra~1\grisoft\avg7\avgupsvc.exe [2007-10-21 49664]
R2 AVGEMS;AVG E-mail Scanner;d:\progra~1\grisoft\avg7\avgemc.exe [2007-10-21 406528]
R2 AvgTdi;AVG Network Redirector;d:\windows\system32\drivers\avgtdi.sys [2007-10-21 4960]
R2 Viewpoint Manager Service;Viewpoint Manager Service;d:\program files\viewpoint\common\ViewpointService.exe [2008-9-23 24652]
R2 vsmon;TrueVector Internet Monitor;d:\windows\system32\zonelabs\vsmon.exe -service --> d:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 Apache2.2;Apache2.2;"d:\documents and settings\stephen\desktop\mindsponge\minisponge\sponge\apache\bin\apache.exe" -k runservice --> d:\documents and settings\stephen\desktop\mindsponge\minisponge\sponge\apache\bin\apache.exe [?]
S3 NPF;NetGroup Packet Filter Driver;d:\windows\system32\drivers\npf.sys [2005-8-2 32512]

=============== Created Last 30 ================


==================== Find3M ====================

2008-12-25 00:26 52,736 a------- d:\windows\ipuninst.exe
2008-12-21 22:45 274,432 a------- d:\windows\system32\TubeFinder.exe
2008-12-20 22:21 413,696 a------- d:\windows\system32\wrap_oal.dll
2008-12-20 22:21 110,592 a------- d:\windows\system32\OpenAL32.dll
2008-12-18 19:06 410,984 a------- d:\windows\system32\deploytk.dll
2008-03-16 08:20 32 a------- d:\docume~1\alluse~1\applic~1\ezsid.dat
2007-10-21 11:02 16,384 a--sh--- d:\windows\system32\config\systemprofile\cookies\index.dat
2007-10-21 11:02 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2007-10-21 11:02 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012007102120071022\index.dat
2007-10-21 11:02 32,768 a--sh--- d:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 23:48:16.50 ===============

Attached Files


Edited by ThorwaldOdinkor, 11 February 2009 - 12:00 AM.


BC AdBot (Login to Remove)

 


#2 SpotCheckBilly

SpotCheckBilly

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Twin Cities, MN
  • Local time:02:36 AM

Posted 22 February 2009 - 03:27 PM

Hi ThorwaldOdinkor,

Welcome to the BleepingComputer forums.

We apologize for the delay in responding to your request for assistance. Every one of our team members is a volunteer and unfortunately, there are often just not enough to keep up with demand. Thank you so much for your patience.

If your issue has been resolved or you have received help elsewhere, please post a reply here and let us know so that we can close this thread.

If you still need assistance, my name is SpotCheckBilly (SCB for short) and I will be happy to help you.

===Very Important===

The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.

=================


A few things which will make our fix go more smoothly.
  • Please >> DO NOT<< run any scans/tools or other fixes unless I ask you to.
  • Please DO NOT install any software while we are working.
  • Please Do not skip any steps. With some infections skipping a step can be disastrous.
  • If there is something you don't understand or or are unsure of -- please stop and take a moment to ask about it.
  • If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.
  • Remove any cracked/pirated software. I will immediately stop helping you if I discover any.
The most important thing to remember is to be patient. Very seldom can we remove the entire infection in one go. Many of today's infections install other infections and for the most part they do not like to go quietly. :)

Your flash drive is probably infected so I would recommend that you not use it until we get you clean, at which time we can clean it as well.

You also may wish to consider upgrading your AVG to version 8 cents, at some point version 7.5 will no longer be supported (if that has not already happened).

I await a reply. -- SCB :thumbup2:
Posted ImagePosted Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users