Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus/Trojan removal help


  • This topic is locked This topic is locked
3 replies to this topic

#1 tmhoward

tmhoward

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 29 March 2009 - 12:06 AM

Hello, I was sent here from my previous thread, where i was working with quietman, which can be found here.

I am running Windows xp sp2. I cannot get to any sites the have to do with removing viruses malware or anything. I cannot install my spyware doctor. I am having to even post here from a different computer. I am using a jump drive to get the logs back and forth between the 2 computers. Spybot did find redirect hosts and removed them, but that still didnt help. Malwarebytes and CureIt have been ran (see above link).


I have followed the preparation guide and have a log file. If anyone would be willing to help, it would be greatly appreciated. I am going on 2 days almost nonstop of fighting with it.

**sorry, just realized my DDS log isnt here, here it is now:
DDS (Ver_09-03-16.01) - NTFSx86
Run by Vaio at 23:48:17.57 on Sat 03/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.517 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
AV: Norton AntiVirus *On-access scanning enabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\Vaio\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
StartupFolder: c:\documents and settings\vaio\start menu\programs\startup\PowerReg Scheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vaio\applic~1\mozilla\firefox\profiles\swoh1pmy.default\

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-3-28 130424]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-9-3 226304]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20090210.003\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20090210.003\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20090210.003\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20090210.003\NAVEX15.SYS [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-3-28 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-3-28 1095560]
S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-03-28 14:17 <DIR> --d----- c:\documents and settings\vaio\DoctorWeb
2009-03-28 07:04 388,608 a------- c:\windows\system32\CF5661.exe
2009-03-28 06:13 <DIR> --d----- c:\program files\CCleaner
2009-03-28 05:59 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-03-28 05:59 130,424 a------- c:\windows\system32\drivers\PCTCore.sys
2009-03-28 05:59 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-28 05:58 <DIR> --d----- c:\program files\common files\PC Tools
2009-03-28 05:58 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-03-28 05:58 <DIR> --d----- c:\program files\Spyware Doctor
2009-03-28 05:58 <DIR> --d----- c:\docume~1\vaio\applic~1\PC Tools
2009-03-28 05:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-03-28 05:37 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-28 05:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-28 05:04 <DIR> --d----- c:\docume~1\vaio\applic~1\QuickScan
2009-03-28 04:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 04:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-28 04:41 <DIR> --d----- c:\docume~1\vaio\applic~1\GetRightToGo
2009-03-28 02:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-28 02:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-28 02:58 <DIR> --d----- c:\docume~1\vaio\applic~1\SUPERAntiSpyware.com
2009-03-28 02:53 <DIR> --d----- c:\program files\directx
2009-03-28 02:53 <DIR> --d----- c:\documents and settings\vaio\WINDOWS
2009-03-28 02:26 <DIR> --d----- c:\windows\pss
2009-03-28 00:56 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-27 23:55 <DIR> --d----- c:\docume~1\vaio\applic~1\Malwarebytes
2009-03-27 23:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-27 23:28 <DIR> --d----- c:\program files\Trend Micro
2009-03-27 23:25 <DIR> --d----- c:\program files\Mozilla Firefox(2)
2009-03-27 21:36 132,152 a------- c:\windows\system\cmd
2009-03-27 21:35 442,368 a------- c:\windows\system32\InternetExplorer.dll
2009-03-27 19:15 547 a------- c:\windows\PowerReg.dat
2009-03-27 19:14 <DIR> --d----- c:\program files\Hasbro Interactive
2009-03-27 19:13 314,880 a------- c:\windows\IsUninst.exe
2009-03-27 18:04 481 a------- c:\windows\eReg.dat
2009-03-27 18:03 <DIR> --d----- c:\program files\EACOM
2009-03-27 18:01 <DIR> --d----- c:\program files\EA SPORTS

==================== Find3M ====================

2009-03-27 18:04 28,624 a------- c:\windows\system32\drivers\secdrv.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k(2)(2).sys

============= FINISH: 23:48:34.18 ===============




Thank you so much!

programs ran that are coming up with clean results now, but i still cant open antivirus type sites:
malwarebytes
superantispyware
spybot sd

Attached Files


Edited by tmhoward, 29 March 2009 - 06:16 AM.


BC AdBot (Login to Remove)

 


#2 tmhoward

tmhoward
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:16 AM

Posted 29 March 2009 - 10:53 AM

I don't mean to bump this, but I have some new information that may help in resolving this.

All of a sudden I was able to access the forum here, I could get to Norton, Avira, and kasperky. I still cant get into several others, but these I can.
Since I could get in to Kaspersky, I did an online scan. Also, since I had no av protection (was in the process of trying to replace norton w/something else), I grabbed Avira Antivir. It found the same thing as Kaspersky plus several others. They mostly seemed to be linked to my restore. I will copy that log too.

Also, still being redirected to weird "search places" most of the time.

Since I did these things I assume you need a new DDS log, and another Attach.txt, I will include these too.

Also, another scan was done with makwarebytes, it came up clean.

Again, so sorry to bump this, but thought this might all be helpful.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, March 29, 2009 12:09:44
Records in database: 1983835
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Vaio\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 24118
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:27:11


File name / Threat name / Threats count
C:\WINDOWS\system32\InternetExplorer.dll Infected: Trojan.Win32.FraudPack.ify 1

The selected area was scanned.

******************************************************************************************
Avira AntiVir Personal
Report file date: Sunday, March 29, 2009 08:48

Scanning for 1328914 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows XP
Windows version : (Service Pack 2) [5.1.2600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : VAIO-2A4BFC7284

Version information:
BUILD.DAT : 9.0.0.387 17962 Bytes 3/24/2009 11:04:00
AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 17:13:26
AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 15:58:24
LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 16:35:49
LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 15:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 17:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 01:33:26
ANTIVIR2.VDF : 7.1.2.199 1008640 Bytes 3/22/2009 13:46:21
ANTIVIR3.VDF : 7.1.2.228 257024 Bytes 3/27/2009 13:46:23
Engineversion : 8.2.0.129
AEVDF.DLL : 8.1.1.0 106868 Bytes 1/27/2009 22:36:42
AESCRIPT.DLL : 8.1.1.70 369019 Bytes 3/29/2009 13:46:36
AESCN.DLL : 8.1.1.8 127346 Bytes 3/29/2009 13:46:35
AERDL.DLL : 8.1.1.3 438645 Bytes 10/29/2008 23:24:41
AEPACK.DLL : 8.1.3.11 397687 Bytes 3/29/2009 13:46:34
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 01:01:56
AEHEUR.DLL : 8.1.0.111 1679736 Bytes 3/29/2009 13:46:32
AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 01:01:56
AEGEN.DLL : 8.1.1.31 340341 Bytes 3/29/2009 13:46:25
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 19:32:40
AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 19:22:44
AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 19:32:40
AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 13:47:59
AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 15:32:15
AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 19:34:28
AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 15:32:09
AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 12:52:24
AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 15:37:08
SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 20:03:49
SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 13:21:33
NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 15:32:10
RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 16:45:45
RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 20:55:12

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Sunday, March 29, 2009 08:48

Starting search for hidden objects.
'30110' objects were checked, '0' hidden objects were found.

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'msiexec.exe' - '1' Module(s) have been scanned
Scan process 'setup.exe' - '1' Module(s) have been scanned
Scan process '_start.exe' - '1' Module(s) have been scanned
Scan process 'launch.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'PIFSvc.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'dllhost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'RegSrvc.exe' - '1' Module(s) have been scanned
Scan process 'CommandService.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'ehSched.exe' - '1' Module(s) have been scanned
Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AluSchedulerSvc.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'PIFSvc.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'S24EvMon.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'EvtEng.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
45 processes with 45 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).
The registry was scanned ( '50' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP37\A0021244.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP37\A0021246.dll
[DETECTION] Is the TR/FraudPack.ify.9 Trojan
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP37\A0021247.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP41\A0022772.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP41\A0022775.exe
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\system32\InternetExplorer.dll
[DETECTION] Is the TR/FraudPack.ify.9 Trojan

Beginning disinfection:
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP37\A0021244.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49ff802a.qua'!
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP37\A0021246.dll
[DETECTION] Is the TR/FraudPack.ify.9 Trojan
[NOTE] The file was moved to '487fb0b3.qua'!
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP37\A0021247.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '4880a8fb.qua'!
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP41\A0022772.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '49ff802b.qua'!
C:\System Volume Information\_restore{3F94E9D4-94B4-43E1-A231-0CBCCCD71640}\RP41\A0022775.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '4af5d92c.qua'!
C:\WINDOWS\system32\InternetExplorer.dll
[DETECTION] Is the TR/FraudPack.ify.9 Trojan
[NOTE] The file was moved to '4a438069.qua'!


End of the scan: Sunday, March 29, 2009 09:04
Used time: 16:00 Minute(s)

The scan has been done completely.

3593 Scanned directories
119232 Files were scanned
6 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
6 Files were moved to quarantine
0 Files were renamed
1 Files cannot be scanned
119225 Files not concerned
962 Archives were scanned
1 Warnings
7 Notes
30110 Objects were scanned with rootkit scan
0 Hidden objects were found

****also I rebooted after this scan, and did a rescan, still came back with 1 trojan: TR/FraudPack.ify.9 Trojan

*****************************************************************************************************

DDS (Ver_09-03-16.01) - NTFSx86
Run by Vaio at 10:46:29.93 on Sun 03/29/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.583 [GMT -5:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)
AV: AntiVir Desktop *On-access scanning disabled* (Updated)
FW: Norton AntiVirus *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Vaio\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\documents and settings\vaio\start menu\programs\startup\PowerReg Scheduler.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_10-windows-i586.cab
DPF: {E001C731-5E37-4538-A5CB-8168736A2360} - hxxp://91.199.104.31/cab/ActiveQscan.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\vaio\applic~1\mozilla\firefox\profiles\swoh1pmy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-29 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-29 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-29 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-29 55640]
R2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\leapfrog\leapfrog connect\CommandService.exe [2008-11-25 991232]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2008-9-3 226304]
S2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S2 ccSetMgr;Symantec Settings Manager;"c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon --> c:\program files\common files\symantec shared\ccSvcHst.exe [?]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\eraserutilrebootdrv.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [?]
S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2008-12-25 18560]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20090210.003\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20090210.003\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20090210.003\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20090210.003\NAVEX15.SYS [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 Symantec Core LC;Symantec Core LC;"c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe" --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-03-29 08:42 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-03-29 08:42 <DIR> --d----- c:\program files\Avira
2009-03-29 08:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-03-28 14:17 <DIR> --d----- c:\documents and settings\vaio\DoctorWeb
2009-03-28 07:04 388,608 a------- c:\windows\system32\CF5661.exe
2009-03-28 06:13 <DIR> --d----- c:\program files\CCleaner
2009-03-28 05:37 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-28 05:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-28 05:04 <DIR> --d----- c:\docume~1\vaio\applic~1\QuickScan
2009-03-28 04:49 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-28 04:49 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-28 04:41 <DIR> --d----- c:\docume~1\vaio\applic~1\GetRightToGo
2009-03-28 02:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-03-28 02:58 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-03-28 02:58 <DIR> --d----- c:\docume~1\vaio\applic~1\SUPERAntiSpyware.com
2009-03-28 02:53 <DIR> --d----- c:\program files\directx
2009-03-28 02:53 <DIR> --d----- c:\documents and settings\vaio\WINDOWS
2009-03-28 02:26 <DIR> --d----- c:\windows\pss
2009-03-28 00:56 664 a------- c:\windows\system32\d3d9caps.dat
2009-03-27 23:55 <DIR> --d----- c:\docume~1\vaio\applic~1\Malwarebytes
2009-03-27 23:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-27 23:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-27 23:28 <DIR> --d----- c:\program files\Trend Micro
2009-03-27 23:25 <DIR> --d----- c:\program files\Mozilla Firefox(2)
2009-03-27 21:36 132,152 a------- c:\windows\system\cmd
2009-03-27 19:15 547 a------- c:\windows\PowerReg.dat
2009-03-27 19:14 <DIR> --d----- c:\program files\Hasbro Interactive
2009-03-27 19:13 314,880 a------- c:\windows\IsUninst.exe
2009-03-27 18:04 481 a------- c:\windows\eReg.dat
2009-03-27 18:03 <DIR> --d----- c:\program files\EACOM
2009-03-27 18:01 <DIR> --d----- c:\program files\EA SPORTS

==================== Find3M ====================

2009-03-27 18:04 28,624 a------- c:\windows\system32\drivers\secdrv.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-02-09 05:19 1,846,272 a------- c:\windows\system32\win32k(2)(2).sys

============= FINISH: 10:46:42.10 ===============

Attached Files


Edited by tmhoward, 29 March 2009 - 11:03 AM.


#3 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:16 PM

Posted 06 April 2009 - 05:52 PM

Hello,

I apologize for the delay in response, we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. As its been a while since you posted your log, I will need an updated one.

Please take a look at the Preparation Guide for a download link to DDS and instructions on how you should ask for help.

Thanks and again sorry for the delay.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#4 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:04:16 PM

Posted 11 April 2009 - 05:48 AM

Due to Lack of feedback, this topic is now Closed.

If you need this topic reopened, please send me a message. In your message please include the address of this thread in your request.

This applies only to the original topic starter.

Everyone else please start a new topic.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users