Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC infected with advert redirecting trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 groggsy

groggsy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 06 March 2009 - 12:17 PM

Hi,

My wifes laptop has become infected by a trojan and/or virus

When you do a search via google for example and click on a resulting link it comes up with a new window usually redirected to an unrealted advert. So it is unusable for the internet.

I have to use my PC to compile this cry for help.

I've tried installing and using SpybotS&D, AVG, Ad-aware and the existing McAfee (which cant be that good as it let the PC get infected in the first place). But although all of the others find something they can never clean it as it/they reappear again as soon as i reboot.

I even used SDfix in safemode which detected and cleaned but it was still there when i tried using IE and went on the internet.

Hope someone can help!

Below is the DDS Report;


DDS (Ver_09-02-01.01) - NTFSx86
Run by Jenifer at 16:01:40.51 on 06/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1398 [GMT 0:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall Plus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Jenifer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/search?q=google&rls=com.microsoft:en-gb:IE-SearchBox&ie=UTF-8&oe=UTF-8&sourceid=ie7&rlz=1I7ADBS
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.btbroadbandstart.com/
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mWinlogon: Userinit=userinit.exe,c:\windows\system32\ntos.exe,
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: McAfee AntiPhishing Filter: {41d68ed8-4cff-4115-88a6-6ebb8af19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: McAfee VirusScan: {ba52b914-b692-46c4-b683-905236f6f655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [userinit] c:\windows\system32\ntos.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [MPFEXE] "c:\program files\mcafee.com\personal firewall\MPFTray.exe"
mRun: [MSKAGENTEXE] c:\progra~1\mcafee\spamki~1\MskAgent.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -startup
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SDFix] e:\sdfix\RUNTHIS.BAT /second
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [userinit] c:\windows\system32\ntos.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - {7DD73374-7187-4103-8F29-622AA25E7C40} - c:\program files\mcafee\spamkiller\mcapfbho.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232659020765
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232659003015
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {CCA0E0C3-1EFC-4E0E-AE3C-042D968669D0} = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll

============= SERVICES / DRIVERS ===============

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-3-6 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-3-5 64160]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-6 325640]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-6 27656]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-6 107912]
R1 SSHDRV76;SSHDRV76;c:\windows\system32\drivers\SSHDRV76.sys [2006-6-26 53760]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-6-7 561152]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-3-6 908056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-6 298264]
R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2006-3-8 126976]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 McShield;McAfee.com McShield;c:\progra~1\mcafee.com\vso\mcshield.exe [2006-3-8 221184]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2006-3-8 122368]
R3 NaiAvFilter1;NaiAvFilter1;c:\windows\system32\drivers\naiavf5x.sys [2006-3-8 114464]
S2 FLEXlm License Manager;FLEXlm License Manager;c:\aw\com\etc\lmgrd.exe --> c:\aw\com\etc\lmgrd.exe [?]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 951120]
S2 maya3flex;maya3flex;c:\aw\com\etc\lmgrd.exe --> c:\aw\com\etc\lmgrd.exe [?]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2006-3-8 245760]

=============== Created Last 30 ================

2009-03-06 13:37 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-03-06 13:27 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys
2009-03-06 13:27 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-03-06 13:27 107,912 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-06 13:27 325,640 a------- c:\windows\system32\drivers\avgldx86.sys
2009-03-06 13:27 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-03-06 13:27 <DIR> --d----- c:\docume~1\jenifer\applic~1\AVGTOOLBAR
2009-03-06 13:26 <DIR> --d----- c:\program files\AVG
2009-03-06 13:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-06 13:24 <DIR> --d----- C:\!KillBox
2009-03-06 10:26 <DIR> --dsh--- c:\windows\system32\wsnpoem
2009-03-06 01:43 19,932 a------- c:\windows\system32\AAWService_2009_03_06_01_43_38.dmp
2009-03-06 00:43 19,932 a------- c:\windows\system32\AAWService_2009_03_06_00_43_12.dmp
2009-03-06 00:20 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-03-06 00:09 <DIR> --d----- c:\windows\ERUNT
2009-03-05 23:51 268,648 a------- c:\windows\system32\mucltui.dll
2009-03-05 23:51 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-03-05 23:33 19,932 a------- c:\windows\system32\AAWService_2009_03_05_23_33_48.dmp
2009-03-05 23:22 19,932 a------- c:\windows\system32\AAWService_2009_03_05_23_22_38.dmp
2009-03-05 23:15 0 a------- c:\windows\system32\AAWService_2009_03_05_23_15_56.dmp
2009-03-05 21:06 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-05 21:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-05 20:48 22,258 a------- c:\windows\system32\AAWService_2009_03_05_20_48_17.dmp
2009-03-05 19:40 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-03-05 19:37 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-05 19:36 <DIR> --d----- C:\ANTIVIRUS
2009-03-04 18:23 <DIR> --d----- C:\COOKSONS
2009-03-02 19:50 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-02 19:50 1,409 a------- c:\windows\QTFont.for
2009-02-04 21:03 99,024 a------- c:\windows\MozillaUninstall.exe
2009-02-04 21:03 98,512 a------- c:\windows\GREUninstall.exe
2009-02-04 21:03 8,230 a------- c:\windows\mozver.dat
2009-02-04 21:03 <DIR> --d----- c:\program files\common files\mozilla.org
2009-02-04 21:02 <DIR> --d----- c:\program files\mozilla.org

==================== Find3M ====================

2009-03-05 23:31 88,859 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-05 19:39 15,688 a------- c:\windows\system32\lsdelete.exe
2009-02-15 17:55 6,580 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-01-16 21:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-19 09:10 70,656 -------- c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 -------- c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 -------- c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 -------- c:\windows\system32\dllcache\ieakui.dll
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys

============= FINISH: 16:03:05.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 groggsy

groggsy
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:23 AM

Posted 06 March 2009 - 03:38 PM

I just tried another scan using ad aware and here is the log...







Logfile created: 06/03/2009 18:47:56
Lavasoft Ad-Aware version: 8.0.3
Extended engine version: 8.1
User performing scan: Jenifer

*********************** Definitions database information ***********************
Lavasoft definition file: 146.19
Extended engine definition file: 8.1

******************************** Scan results: *********************************
Scan profile name: Smart Scan (ID: smart)
Objects scanned: 33767
Objects detected: 5


Type Detected
==========================
Processes.......: 0
Registry entries: 4
Hostfile entries: 0
Files...........: 0
Folders.........: 1
LSPs............: 0
Cookies.........: 0
Browser hijacks.: 0
MRU objects.....: 0



Removed items:
Description: C:\WINDOWS\system32\wsnpoem Family Name: Win32.Backdoor.Agent Clean status: Reboot required Item ID: 57683 Family ID: 795

Quarantined items:
Description: HKU:.DEFAULT\software\microsoft\windows\currentversion\explorer:{f710fa10-2031-3106-8872-93a2b5c5c620} Family Name: Win32.Backdoor.Agent Clean status: Success Item ID: 27972 Family ID: 795
Description: HKU:S-1-5-18\software\microsoft\windows\currentversion\explorer:{f710fa10-2031-3106-8872-93a2b5c5c620} Family Name: Win32.Backdoor.Agent Clean status: Failed Item ID: 27972 Family ID: 795
Description: HKU:.default\software\microsoft\windows\currentversion\run:userinit Family Name: Win32.Backdoor.Agent Clean status: Success Item ID: 28131 Family ID: 795
Description: HKU:.default\software\microsoft\windows\currentversion\explorer:{f710fa10-2031-3106-8872-93a2b5c5c620} Family Name: Win32.TrojanSpy.Bancos Clean status: Failed Item ID: 42431 Family ID: 1057

Scan and cleaning complete: Finished correctly after 139 seconds

*********************************** Settings ***********************************

Scan profile:
ID: smart, enabled:1, value: Smart Scan
ID: scancriticalareas, enabled:1, value: true
ID: scanrunningapps, enabled:1, value: true
ID: scanregistry, enabled:1, value: true
ID: scanlsp, enabled:1, value: true
ID: scanads, enabled:1, value: false
ID: scanhostsfile, enabled:1, value: false
ID: scanmru, enabled:1, value: false
ID: scanbrowserhijacks, enabled:1, value: true
ID: scantrackingcookies, enabled:1, value: true
ID: closebrowsers, enabled:1, value: false
ID: folderstoscan, enabled:1, value:
ID: scanrootkits, enabled:1, value: true
ID: usespywareheuristics, enabled:1, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: mild, domain: medium,mild,strict
ID: filescanningoptions, enabled:1
ID: archives, enabled:1, value: false
ID: onlyexecutables, enabled:1, value: true
ID: skiplargerthan, enabled:1, value: 20480

Scan global:
ID: global, enabled:1
ID: addtocontextmenu, enabled:1, value: true
ID: playsoundoninfection, enabled:1, value: false
ID: soundfile, enabled:0, value: *to be filled in automatically*\alert.wav

Scheduled scan settings:
<Empty>

Update settings:
ID: updates, enabled:1
ID: launchthreatworksafterscan, enabled:1, value: normal, domain: normal,off,silently
ID: displaystatus, enabled:1, value: false
ID: deffiles, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: autodetectproxy, enabled:1, value: false
ID: useautoconfigscript, enabled:1, value: false
ID: autoconfigurl, enabled:0, value:
ID: useproxy, enabled:1, value: false
ID: proxyserver, enabled:0, value:
ID: softwareupdates, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: licenseandinfo, enabled:1, value: downloadandinstall, domain: dontcheck,downloadandinstall
ID: schedules, enabled:1, value: true
ID: updatedaily, enabled:1, value: Daily
ID: time, enabled:1, value: Thu Mar 05 19:39:00 2009
ID: frequency, enabled:1, value: daily, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: false
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: false
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false
ID: updateweekly, enabled:1, value: Weekly
ID: time, enabled:1, value: Thu Mar 05 19:39:00 2009
ID: frequency, enabled:1, value: weekly, domain: daily,monthly,once,systemstart,weekly
ID: weekdays, enabled:1
ID: monday, enabled:1, value: true
ID: tuesday, enabled:1, value: false
ID: wednesday, enabled:1, value: false
ID: thursday, enabled:1, value: true
ID: friday, enabled:1, value: false
ID: saturday, enabled:1, value: false
ID: sunday, enabled:1, value: false
ID: monthly, enabled:1, value: 1, minvalue: 1, maxvalue: 31
ID: scanprofile, enabled:1, value:
ID: auto_deal_with_infections, enabled:1, value: false

Appearance settings:
ID: appearance, enabled:1
ID: skin, enabled:1, value: default.egl, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Resource
ID: showtrayicon, enabled:1, value: true
ID: language, enabled:1, value: en, reglocation: HKEY_LOCAL_MACHINE\SOFTWARE\Lavasoft\Ad-Aware\Language

Realtime protection settings:
ID: realtime, enabled:1
ID: processprotection, enabled:1, value: true
ID: registryprotection, enabled:0, value: true
ID: networkprotection, enabled:0, value: true
ID: loadatstartup, enabled:1, value: true
ID: usespywareheuristics, enabled:0, value: true
ID: extendedengine, enabled:0, value: true
ID: useheuristics, enabled:0, value: true
ID: heuristicslevel, enabled:0, value: strict, domain: medium,mild,strict
ID: infomessages, enabled:1, value: onlyimportant, domain: display,dontnotify,onlyimportant


****************************** System information ******************************
Computer name: JENNY
Processor name: Intel® Pentium® M processor 1.86GHz
Processor identifier: x86 Family 6 Model 13 Stepping 8
Raw info: processorarchitecture 0, processortype 586, processorlevel 6, processor revision 3336, number of processors 1
Physical memory available: 1366679552 bytes
Physical memory total: 2146824192 bytes
Virtual memory available: 2055049216 bytes
Virtual memory total: 2147352576 bytes
Memory load: 36%
Microsoft Windows XP Professional Service Pack 3 (build 2600)
Windows startup mode:

Running processes:
PID: 1000 name: \SystemRoot\System32\smss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1096 name: \??\C:\WINDOWS\system32\csrss.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1124 name: \??\C:\WINDOWS\system32\winlogon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1172 name: C:\WINDOWS\system32\services.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1184 name: C:\WINDOWS\system32\lsass.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1360 name: C:\WINDOWS\system32\Ati2evxx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1372 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1504 name: C:\WINDOWS\system32\svchost.exe owner: NETWORK SERVICE domain: NT AUTHORITY
PID: 1652 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1692 name: C:\Program Files\Intel\Wireless\Bin\EvtEng.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1764 name: C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1940 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 396 name: C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 480 name: C:\WINDOWS\system32\spoolsv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1596 name: C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1620 name: C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1868 name: C:\WINDOWS\eHome\ehRecvr.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1900 name: C:\WINDOWS\eHome\ehSched.exe owner: SYSTEM domain: NT AUTHORITY
PID: 196 name: c:\program files\mcafee.com\agent\mcdetect.exe owner: SYSTEM domain: NT AUTHORITY
PID: 224 name: c:\PROGRA~1\mcafee.com\vso\mcshield.exe owner: SYSTEM domain: NT AUTHORITY
PID: 556 name: C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe owner: Jenifer domain: JENNY
PID: 648 name: C:\WINDOWS\system32\Ati2evxx.exe owner: Jenifer domain: JENNY
PID: 832 name: C:\WINDOWS\Explorer.EXE owner: Jenifer domain: JENNY
PID: 888 name: c:\PROGRA~1\mcafee.com\agent\mctskshd.exe owner: SYSTEM domain: NT AUTHORITY
PID: 500 name: c:\PROGRA~1\mcafee.com\vso\OasClnt.exe owner: Jenifer domain: JENNY
PID: 2092 name: C:\Program Files\TortoiseSVN\bin\TSVNCache.exe owner: Jenifer domain: JENNY
PID: 2108 name: C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2320 name: c:\program files\mcafee.com\vso\mcvsshld.exe owner: Jenifer domain: JENNY
PID: 2352 name: c:\progra~1\mcafee.com\vso\mcvsescn.exe owner: Jenifer domain: JENNY
PID: 2360 name: c:\program files\mcafee.com\agent\mcagent.exe owner: Jenifer domain: JENNY
PID: 2612 name: C:\Program Files\McAfee.com\Personal Firewall\MPFTray.exe owner: Jenifer domain: JENNY
PID: 2636 name: C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe owner: Jenifer domain: JENNY
PID: 2652 name: C:\Program Files\QuickTime\qttask.exe owner: Jenifer domain: JENNY
PID: 2664 name: C:\Program Files\Common Files\Real\Update_OB\realsched.exe owner: Jenifer domain: JENNY
PID: 2684 name: C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe owner: Jenifer domain: JENNY
PID: 2712 name: C:\Program Files\Canon\MyPrinter\BJMyPrt.exe owner: Jenifer domain: JENNY
PID: 2728 name: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe owner: Jenifer domain: JENNY
PID: 2984 name: C:\PROGRA~1\AVG\AVG8\avgtray.exe owner: Jenifer domain: JENNY
PID: 3048 name: C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3088 name: C:\WINDOWS\system32\ctfmon.exe owner: Jenifer domain: JENNY
PID: 3108 name: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe owner: Jenifer domain: JENNY
PID: 3120 name: C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3296 name: C:\WINDOWS\system32\svchost.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3356 name: C:\WINDOWS\system32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3396 name: C:\WINDOWS\system32\Tablet.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3556 name: C:\WINDOWS\ehome\mcrdsvc.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3800 name: C:\PROGRA~1\AVG\AVG8\avgemc.exe owner: SYSTEM domain: NT AUTHORITY
PID: 4008 name: C:\WINDOWS\system32\WTablet\TabUserW.exe owner: Jenifer domain: JENNY
PID: 4076 name: C:\PROGRA~1\AVG\AVG8\avgam.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2004 name: C:\PROGRA~1\AVG\AVG8\avgrsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 228 name: C:\PROGRA~1\AVG\AVG8\avgnsx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 424 name: C:\WINDOWS\system32\Tablet.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1432 name: C:\WINDOWS\system32\wbem\wmiprvse.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2852 name: C:\Program Files\AVG\AVG8\avgcsrvx.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2648 name: C:\WINDOWS\system32\dllhost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 2796 name: C:\WINDOWS\system32\wbem\unsecapp.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3688 name: C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe owner: Jenifer domain: JENNY
PID: 3708 name: C:\WINDOWS\System32\alg.exe owner: LOCAL SERVICE domain: NT AUTHORITY
PID: 3532 name: C:\WINDOWS\System32\svchost.exe owner: SYSTEM domain: NT AUTHORITY
PID: 3968 name: C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe owner: Jenifer domain: JENNY
PID: 3812 name: C:\WINDOWS\system32\msiexec.exe owner: SYSTEM domain: NT AUTHORITY
PID: 1036 name: C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe owner: Jenifer domain: JENNY
PID: 1916 name: C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe owner: Jenifer domain: JENNY

Startup items:
Name: MCUpdateExe
imagepath: C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
Name: MCAgentExe
imagepath: c:\PROGRA~1\mcafee.com\agent\McAgent.exe
Name: CTFMON.EXE
imagepath: C:\WINDOWS\system32\CTFMON.EXE
Name: userinit
imagepath: C:\WINDOWS\system32\ntos.exe
Name: PostBootReminder
imagepath: {7849596a-48ea-486e-8937-a2a3009f31a9}
Name: CDBurn
imagepath: {fbeb8a05-beee-4442-804e-409d6c4515e9}
Name: WebCheck
imagepath: {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
Name: SysTray
imagepath: {35CEC8A3-2BE6-11D2-8773-92E220524153}
Name: {438755C2-A8BA-11D1-B96B-00A0C90312E1}
imagepath: Browseui preloader
Name: {8C7461EF-2B13-11d2-BE35-3078302C2030}
imagepath: Component Categories cache daemon
Name:
imagepath: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Name:
imagepath: C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini

Bootexecute items:
Name:
imagepath: autocheck autochk *

Running services:
Name: ALG
displayname: Application Layer Gateway Service
Name: AppMgmt
displayname: Application Management
Name: Ati HotKey Poller
displayname: Ati HotKey Poller
Name: AudioSrv
displayname: Windows Audio
Name: Autodesk Licensing Service
displayname: Autodesk Licensing Service
Name: avg8emc
displayname: AVG8 E-mail Scanner
Name: avg8wd
displayname: AVG8 WatchDog
Name: Browser
displayname: Computer Browser
Name: COMSysApp
displayname: COM+ System Application
Name: CryptSvc
displayname: Cryptographic Services
Name: DcomLaunch
displayname: DCOM Server Process Launcher
Name: Dhcp
displayname: DHCP Client
Name: ehRecvr
displayname: Media Center Receiver Service
Name: ehSched
displayname: Media Center Scheduler Service
Name: ERSvc
displayname: Error Reporting Service
Name: Eventlog
displayname: Event Log
Name: EventSystem
displayname: COM+ Event System
Name: EvtEng
displayname: EvtEng
Name: helpsvc
displayname: Help and Support
Name: HidServ
displayname: HID Input Service
Name: HTTPFilter
displayname: HTTP SSL
Name: lanmanserver
displayname: Server
Name: lanmanworkstation
displayname: Workstation
Name: Lavasoft Ad-Aware Service
displayname: Lavasoft Ad-Aware Service
Name: LmHosts
displayname: TCP/IP NetBIOS Helper
Name: McDetect.exe
displayname: McAfee WSC Integration
Name: McrdSvc
displayname: Media Center Extender Service
Name: McShield
displayname: McAfee.com McShield
Name: McTskshd.exe
displayname: McAfee Task Scheduler
Name: MpfService
displayname: McAfee Personal Firewall Service
Name: MSIServer
displayname: Windows Installer
Name: Netman
displayname: Network Connections
Name: NICCONFIGSVC
displayname: NICCONFIGSVC
Name: Nla
displayname: Network Location Awareness (NLA)
Name: PlugPlay
displayname: Plug and Play
Name: PolicyAgent
displayname: IPSEC Services
Name: ProtectedStorage
displayname: Protected Storage
Name: RasMan
displayname: Remote Access Connection Manager
Name: RegSrvc
displayname: RegSrvc
Name: RemoteRegistry
displayname: Remote Registry
Name: RpcSs
displayname: Remote Procedure Call (RPC)
Name: S24EventMonitor
displayname: Spectrum24 Event Monitor
Name: SamSs
displayname: Security Accounts Manager
Name: Schedule
displayname: Task Scheduler
Name: seclogon
displayname: Secondary Logon
Name: SENS
displayname: System Event Notification
Name: SharedAccess
displayname: Windows Firewall/Internet Connection Sharing (ICS)
Name: ShellHWDetection
displayname: Shell Hardware Detection
Name: Spooler
displayname: Print Spooler
Name: srservice
displayname: System Restore Service
Name: SSDPSRV
displayname: SSDP Discovery Service
Name: stisvc
displayname: Windows Image Acquisition (WIA)
Name: TabletService
displayname: TabletService
Name: TapiSrv
displayname: Telephony
Name: TermService
displayname: Terminal Services
Name: Themes
displayname: Themes
Name: TrkWks
displayname: Distributed Link Tracking Client
Name: w32time
displayname: Windows Time
Name: WebClient
displayname: WebClient
Name: winmgmt
displayname: Windows Management Instrumentation
Name: wuauserv
displayname: Automatic Updates
Name: WZCSVC
displayname: Wireless Zero Configuration

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:23 AM

Posted 19 March 2009 - 09:42 AM

Welcome to the BleepingComputer Forums.

Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. Please download Trend Micro - HijackThis. Do a new scan with Trend Micro - HijackThis and post it in your next reply. Thank you for your patience.

Please see Preparation Guide for use before posting about your potential Malware problem.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.

Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so.

While we are working on your HijackThis log, please:
  • Reply to this thread; do not start another!
  • Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so.
  • Do not run any other tool until instructed to do so!
  • Let me know if any of the links do not work or if any of the tools do not work.
  • Tell me about problems or symptoms that occur during the fix.
  • Do not run any other programs or open any other windows while doing a fix.
  • Ask any questions that you have regarding the fix(es), the infection(s), the performance of your computer, etc.
Thanks.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:07:23 AM

Posted 03 April 2009 - 06:05 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users