Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Virtumonde and more!


  • This topic is locked This topic is locked
11 replies to this topic

#1 robert wildey

robert wildey

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 14 June 2009 - 01:07 PM

Howdy. It appears that my computer was infected when my university version of McAfee VirusScan expired or was infected. Updates to VirusScan failed (and I'm no longer at the university), so I've been going through the boards and trying the various fixes in the order that other posters had received. I'm not making any headway, so starting a fresh thread.

I have PC Tools Spyware Doctor and have run it in Safe mode - it usually find 4 or 5 low level threats and quarantines them. Malware Bytes Anti-Malware was originally finding things, but lately has been giving the computer a clean bill of health. Super Anti-Spyware finds a few things and marks them for deletion, but they keep coming back. Kaspersky's online scanner was originally working and finding things (but not deleting them), however the last few times I've attempted to run it, the computer freezes up. The computer has also been freezing up at various points when working online.

Examples of found objects:
Adware.Tracking Cookie
C:\Documents and Settings\Robert\Cookies\robert@kaspersky.122.2o7[1].txt
C:\Documents and Settings\Robert\Cookies\robert@apmebf[1].txt
C:\Documents and Settings\Robert\Cookies\robert@atdmt[2].txt
C:\Documents and Settings\Robert\Cookies\robert@mediaplex[1].txt

5/30/2009 1:31:56 PM:148 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1619\A0243087.dll

5/30/2009 1:31:56 PM:242 Infection was detected on this computer
Threat Name - Trojan-PWS.Bancos.PWN
Type - File
Risk Level - Medium
Infection - C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1619\A0243089.sys

5/30/2009 1:32:22 PM:585 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1626\A0246162.dll

5/30/2009 2:00:31 PM:200 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\SYSTEM32\doguzeri.dll.tmp

5/30/2009 2:03:13 PM:745 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\SYSTEM32\vebimayo.dll.tmp

5/30/2009 2:03:14 PM:824 Infection was detected on this computer
Threat Name - Trojan.Virtumonde
Type - File
Risk Level - Elevated
Infection - C:\WINDOWS\SYSTEM32\votojoye.dll.tmp

Here is the DDS log:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Robert at 13:43:34.75 on Sun 06/14/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.657 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\PROGRA~1\Intuit\QUICKB~1\COMPON~1\qbagent\QBDAGE~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoffi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpomau08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {AF93103D-2999-4C07-B190-F18D516E05DE} - hxxp://www2.vhb.com/timetrak/TimeTrak2.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://extranet.vhb.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\4p9k8y7a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\robert\application data\mozilla\firefox\profiles\4p9k8y7a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-21 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-5-25 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-5-25 39200]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-5-21 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\esri\license\arcgis9x\lmgrd.exe [2005-4-3 467968]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2004-2-6 102463]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-5-25 33056]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2005-1-26 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2005-1-26 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2005-1-26 60816]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-21 64392]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-21 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-21 1095560]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-06-13 12:32 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-13 11:53 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-13 11:53 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-13 11:53 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-13 11:53 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-09 23:45 <DIR> --d----- c:\program files\Trend Micro
2009-06-09 22:40 812,344 a------- c:\program files\HJTInstall.exe
2009-05-30 11:11 <DIR> --d----- c:\documents and settings\robert\.housecall6.6
2009-05-30 10:53 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-30 10:53 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-30 10:53 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-05-30 10:53 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-30 10:53 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-05-30 10:53 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-05-30 10:53 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-05-30 10:53 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-05-30 10:53 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-05-30 10:51 32,384 a------- c:\windows\system32\dllcache\usb101et.sys
2009-05-30 10:50 106,584 a------- c:\windows\system32\dllcache\spdports.dll
2009-05-30 10:49 182,272 a------- c:\windows\system32\dllcache\s3mt3d.dll
2009-05-30 10:48 169,984 a------- c:\windows\system32\dllcache\pcx500.sys
2009-05-30 10:47 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-05-30 10:46 7,424 a------- c:\windows\system32\dllcache\mammoth.sys
2009-05-30 10:45 88,192 a------- c:\windows\system32\dllcache\irda.sys
2009-05-30 10:44 8,576 a------- c:\windows\system32\dllcache\hidgame.sys
2009-05-30 10:43 55,999 a------- c:\windows\system32\dllcache\el556nd5.sys
2009-05-30 10:42 24,649 a------- c:\windows\system32\dllcache\dfe650d.sys
2009-05-30 10:41 74,240 a------- c:\windows\system32\dllcache\camexo20.dll
2009-05-30 10:40 46,464 a------- c:\windows\system32\dllcache\atibt829.sys
2009-05-30 10:39 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-05-30 10:34 <DIR> --dsh--- c:\documents and settings\robert\IECompatCache
2009-05-25 18:26 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-05-25 18:26 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-05-25 18:26 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-05-25 18:26 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-05-22 22:40 50,688 a------- c:\program files\ATF-Cleaner.exe
2009-05-21 19:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-21 19:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-21 19:42 <DIR> --d----- c:\docume~1\robert\applic~1\SUPERAntiSpyware.com
2009-05-21 19:41 6,367,264 a------- c:\program files\SUPERAntiSpyware.exe
2009-05-21 18:59 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-21 18:59 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-21 18:59 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-21 18:58 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-21 18:58 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-21 18:58 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-21 18:58 <DIR> --d----- c:\docume~1\robert\applic~1\PC Tools
2009-05-21 18:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-19 13:15 23,975,176 a------- c:\program files\sdsetup.exe
2009-05-17 23:01 <DIR> --dsh--- c:\documents and settings\robert\PrivacIE
2009-05-17 22:17 <DIR> --dsh--- c:\documents and settings\robert\IETldCache
2009-05-17 10:56 <DIR> --d----- c:\windows\ie8updates
2009-05-17 10:55 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-05-17 10:52 <DIR> -cd-h--- c:\windows\ie8

==================== Find3M ====================

2009-05-30 15:46 5,058 a------- c:\windows\help\hhcolreg.dat
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-11 21:09 1,878,888 a------- c:\program files\install_flash_player.exe
2009-03-29 22:25 19,558 a------- c:\windows\hpoins01.dat
2009-03-21 10:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-02-01 17:36 359,656 a------- c:\program files\msicuu2.exe
2008-12-10 17:14 2,538,872 a------- c:\program files\mbam-setup.exe
2008-12-09 09:11 23,804,784 -------- c:\program files\aaw2008.exe
2008-11-29 21:02 68,756,776 -------- c:\program files\iTunesSetup8.0.exe
2008-07-20 18:33 6,104,632 -------- c:\program files\picasaweb-current-setup.exe
2007-12-06 08:41 122,224 -------- c:\docume~1\robert\applic~1\JuniperSetup.exe
2007-06-24 15:28 732,795 -------- c:\program files\uploadr_2.5.0.15_en.exe
2007-03-17 22:24 37,860,928 -------- c:\program files\iTunesSetup.exe
2007-02-06 22:09 14,705,768 -------- c:\program files\DivXInstaller.exe
2007-01-26 12:30 760,708 -------- c:\program files\ac3filter_1_11.exe
2007-01-26 11:19 643,144 -------- c:\program files\XviD-1.1.2-01112006.exe
2007-01-08 19:09 9,826,960 -------- c:\program files\bitpim-0.9.10-setup.exe
2006-12-11 21:49 12,844,360 -------- c:\program files\SkypeSetup.exe
2006-12-03 14:28 9,798,617 -------- c:\program files\bitpim-0.9.08-setup.exe
2006-11-28 21:44 5,900,416 -------- c:\program files\Firefox Setup 2.0.exe
2006-11-25 22:58 14,879,120 -------- c:\program files\GoogleEarthWin.exe
2006-10-15 21:14 2,587,728 -------- c:\program files\ica32t.exe
2006-10-15 20:50 6,767,945 -------- c:\program files\cisco_files.exe
2006-07-08 13:56 59,310,760 -------- c:\program files\ipodsetup.exe
2006-07-04 13:56 3,080,915 -------- c:\program files\unh-pub-nec-previous.exe
2006-07-04 11:10 4,262,376 -------- c:\program files\rminstall.exe
2006-07-04 11:07 212,849 -------- c:\program files\hijackthis.zip
2006-07-04 00:58 3,080,915 -------- c:\program files\unh-sn-nec.exe
2006-06-30 17:38 54 -------- c:\program files\HydroCAD.txt
2006-04-24 18:08 17,823,932 -------- c:\program files\wintr20_inst.exe
2006-04-24 17:59 260,408 -------- c:\program files\tr20_ver204.zip
2006-03-01 19:52 1,337,895 -------- c:\program files\system47.zip
2005-12-28 17:40 9,495,816 -------- c:\program files\bitpim-0.8.04-setup.exe
2005-11-28 08:53 10,537,576 -------- c:\program files\zlsSetup_61_737_000_en.exe
2005-10-20 21:44 56,298,664 -------- c:\program files\iPodSetup_old.exe
2005-10-09 15:43 320,699 -------- c:\program files\tr55v21.exe
2005-10-05 21:33 9,346,664 -------- c:\program files\zlsSetup_60_667_000.exe
2005-09-26 17:53 9,237,789 -------- c:\program files\bitpim-0.7.36-setup.exe
2005-07-13 23:03 4,214 -------- c:\program files\readme.txt
2005-07-13 21:12 1,409,409 -------- c:\program files\system47 v2.2_setup.exe
2005-06-07 22:38 1,013,914 -------- c:\program files\album_themes.zip
2005-06-07 22:36 118,221 -------- c:\program files\album.zip
2005-03-16 19:50 6,670,952 -------- c:\program files\zlsSetup_55_062_011.exe
2004-10-03 20:52 19,625,449 -------- c:\program files\ysitebuilder.exe
2004-08-16 20:54 10,135,688 -------- c:\program files\MPSetupXP.exe
2004-03-03 21:49 3,785,884 -------- c:\program files\ephpod275.exe
2004-02-06 20:19 946 -------- c:\program files\SuperDAT.log
2004-02-06 20:18 5,764,138 -------- c:\program files\sdat4322.exe
2004-02-06 19:31 12,511,744 -------- c:\program files\VScan700.exe
2004-01-05 02:02 164 a---h--- c:\documents and settings\all users\hpothb07.dat
2003-12-31 18:41 1,125,803 -------- c:\program files\dvd2mpg116.zip
1992-04-14 00:00 60,815 -------- c:\documents and settings\robert\CONFIG.EXE
1991-12-16 00:00 44,515 -------- c:\documents and settings\robert\README.EXE
1986-04-15 00:00 7,040 -------- c:\documents and settings\robert\COVER.DAT
2003-12-09 01:35 4,343 ---sh--- c:\windows\rreg32.dll
2003-12-09 01:35 5,266 ---sh--- c:\windows\utapi32.dll

============= FINISH: 13:44:23.79 ===============

I've attached the "Attach.txt" file as a zip - I apologize in advance if I'm supposed to wait to do this - the posting directions say one thing and the DDS.SCR directions seem to say another.

Thanks for the help!

Attached Files



BC AdBot (Login to Remove)

 


#2 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:12:57 AM

Posted 15 June 2009 - 10:32 AM

Hi robert wildey,

I will be handling your log to help you get cleaned up. Please give me some time to look it over and I will get back to you as soon as possible.

#3 robert wildey

robert wildey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 15 June 2009 - 07:20 PM

Thanks, Judicandus. Let me know what you'd like me to try.

Cheers,
Robert

#4 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:12:57 AM

Posted 16 June 2009 - 01:21 AM

Hi robert wildey,

First of all you need to install an antivirus program as soon as you can and run a complete scan of the computer.

I recommend you download the free

Avast or
AntiVir or
AVG antivirus

Products from all three vendors received the Virus Bulletin's VB100% award and certification for virus detection from ICSA Labs.

Never install more than one antivirus scanner or firewall on your system! Several together can give you problems and decrease the reliability of it seriously!

AVAST Home Edition User Guide
http://www.avast.com/eng/download-avast-home.html

Alvira AntiVir User Manual
http://www.free-av.com/en/documentation/index.html

AVG antivirus User Manual
http://free.avg.com/ww.download?prd=afe#tba3

*******************************************

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 14.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 2 Runtime Environment, SE v1.4.2
    J2SE Runtime Environment 5.0
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
*******************************************

Please post a fresh DDS log.

#5 robert wildey

robert wildey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 16 June 2009 - 09:57 PM

DDS (Ver_09-05-14.01) - NTFSx86
Run by Robert at 22:55:07.39 on Tue 06/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.450 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://www.dell.com
uWindow Title = Microsoft Internet Explorer provided by Verizon Online
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\UpdaterUI.exe" /StartedFromRunKey
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoffi~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpomau08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: YExplorer1_8US.CAB - hxxp://photos.groups.yahoo.com/ocx/us/yexplorer1_8us.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} - hxxp://portal.partners.org/vpn/PHSVPNPortal.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {AF93103D-2999-4C07-B190-F18D516E05DE} - hxxp://www2.vhb.com/timetrak/TimeTrak2.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://extranet.vhb.com/dana-cached/setup/JuniperSetupSP1.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\robert\applic~1\mozilla\firefox\profiles\4p9k8y7a.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\documents and settings\robert\application data\mozilla\firefox\profiles\4p9k8y7a.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-5-21 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-5-25 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-5-25 39200]
R1 NEOFLTR_600_13073;Juniper Networks TDI Filter Driver (NEOFLTR_600_13073);c:\windows\system32\drivers\NEOFLTR_600_13073.sys [2008-4-30 64160]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-5-21 159600]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-14 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-14 72944]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-6-16 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-6-16 185089]
R2 ArcGIS License Manager;ArcGIS License Manager;c:\progra~1\esri\license\arcgis9x\lmgrd.exe [2005-4-3 467968]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-16 55640]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2004-2-6 102463]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-6-16 11608]
S3 lgatbus;LG USB Composite Device driver (WDM);c:\windows\system32\drivers\lgatbus.sys [2005-1-26 43024]
S3 lgatmdm;LG CDMA USB Modem Drivers;c:\windows\system32\drivers\lgatmdm.sys [2005-1-26 77104]
S3 lgatserd;LG CDMA USB Modem Diagnostic Serial Port Drivers (WDM);c:\windows\system32\drivers\lgatserd.sys [2005-1-26 60816]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-5-21 64392]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-14 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-5-21 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-5-21 1095560]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-5-25 33056]
S3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]

=============== Created Last 30 ================

2009-06-16 22:06 73,728 a------- c:\windows\system32\javacpl.cpl
2009-06-16 22:05 16,254,360 a------- c:\program files\jre-6u14-windows-i586.exe
2009-06-16 19:33 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-06-16 19:33 <DIR> --d----- c:\program files\Avira
2009-06-16 19:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-06-16 19:28 30,075,904 a------- c:\program files\avira_antivir_personal_en.exe
2009-06-13 12:32 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-13 11:53 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-06-13 11:53 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-06-13 11:53 1,985,024 -------- c:\windows\system32\dllcache\iertutil.dll
2009-06-13 11:53 11,064,832 -------- c:\windows\system32\dllcache\ieframe.dll
2009-06-09 23:45 <DIR> --d----- c:\program files\Trend Micro
2009-06-09 22:40 812,344 a------- c:\program files\HJTInstall.exe
2009-05-30 11:11 <DIR> --d----- c:\documents and settings\robert\.housecall6.6
2009-05-30 10:53 116,224 a------- c:\windows\system32\dllcache\xrxwiadr.dll
2009-05-30 10:53 23,040 a------- c:\windows\system32\dllcache\xrxwbtmp.dll
2009-05-30 10:53 27,648 a------- c:\windows\system32\dllcache\xrxftplt.exe
2009-05-30 10:53 18,944 a------- c:\windows\system32\dllcache\xrxscnui.dll
2009-05-30 10:53 4,608 a------- c:\windows\system32\dllcache\xrxflnch.exe
2009-05-30 10:53 99,865 a------- c:\windows\system32\dllcache\xlog.exe
2009-05-30 10:53 28,288 a------- c:\windows\system32\dllcache\xjis.nls
2009-05-30 10:53 16,970 a------- c:\windows\system32\dllcache\xem336n5.sys
2009-05-30 10:53 8,192 a------- c:\windows\system32\dllcache\wshirda.dll
2009-05-30 10:51 32,384 a------- c:\windows\system32\dllcache\usb101et.sys
2009-05-30 10:50 106,584 a------- c:\windows\system32\dllcache\spdports.dll
2009-05-30 10:49 182,272 a------- c:\windows\system32\dllcache\s3mt3d.dll
2009-05-30 10:48 169,984 a------- c:\windows\system32\dllcache\pcx500.sys
2009-05-30 10:47 49,024 a------- c:\windows\system32\dllcache\mstape.sys
2009-05-30 10:46 7,424 a------- c:\windows\system32\dllcache\mammoth.sys
2009-05-30 10:45 88,192 a------- c:\windows\system32\dllcache\irda.sys
2009-05-30 10:44 8,576 a------- c:\windows\system32\dllcache\hidgame.sys
2009-05-30 10:43 55,999 a------- c:\windows\system32\dllcache\el556nd5.sys
2009-05-30 10:42 24,649 a------- c:\windows\system32\dllcache\dfe650d.sys
2009-05-30 10:41 74,240 a------- c:\windows\system32\dllcache\camexo20.dll
2009-05-30 10:40 46,464 a------- c:\windows\system32\dllcache\atibt829.sys
2009-05-30 10:39 66,048 a------- c:\windows\system32\dllcache\s3legacy.dll
2009-05-30 10:34 <DIR> --dsh--- c:\documents and settings\robert\IECompatCache
2009-05-25 18:26 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-05-25 18:26 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-05-25 18:26 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-05-25 18:26 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-05-22 22:40 50,688 a------- c:\program files\ATF-Cleaner.exe
2009-05-21 19:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-05-21 19:42 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-05-21 19:42 <DIR> --d----- c:\docume~1\robert\applic~1\SUPERAntiSpyware.com
2009-05-21 19:41 6,367,264 a------- c:\program files\SUPERAntiSpyware.exe
2009-05-21 18:59 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-21 18:59 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-21 18:59 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-21 18:58 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-21 18:58 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-21 18:58 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-21 18:58 <DIR> --d----- c:\docume~1\robert\applic~1\PC Tools
2009-05-21 18:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-19 13:15 23,975,176 a------- c:\program files\sdsetup.exe
2009-05-17 23:01 <DIR> --dsh--- c:\documents and settings\robert\PrivacIE

==================== Find3M ====================

2009-06-16 22:06 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-30 15:46 5,058 a------- c:\windows\help\hhcolreg.dat
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-13 01:15 5,936,128 a------- c:\windows\system32\dllcache\mshtml.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-13 01:15 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-05-07 11:32 345,600 a------- c:\windows\system32\dllcache\localspl.dll
2009-05-07 11:32 345,600 -------- c:\windows\system32\localspl.dll
2009-04-30 17:22 1,207,808 a------- c:\windows\system32\dllcache\urlmon.dll
2009-04-30 17:22 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-04-30 17:22 385,536 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-04-30 07:21 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-04-25 01:30 102,400 -------- c:\windows\system32\dllcache\iecompat.dll
2009-04-17 08:26 1,847,168 a------- c:\windows\system32\dllcache\win32k.sys
2009-04-17 08:26 1,847,168 -------- c:\windows\system32\win32k.sys
2009-04-15 10:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-04-15 10:51 585,216 a------- c:\windows\system32\dllcache\rpcrt4.dll
2009-04-11 21:09 1,878,888 a------- c:\program files\install_flash_player.exe
2009-03-29 22:25 19,558 a------- c:\windows\hpoins01.dat
2009-03-21 10:06 989,696 a------- c:\windows\system32\dllcache\kernel32.dll
2009-02-01 17:36 359,656 a------- c:\program files\msicuu2.exe
2008-12-10 17:14 2,538,872 a------- c:\program files\mbam-setup.exe
2008-12-09 09:11 23,804,784 -------- c:\program files\aaw2008.exe
2008-11-29 21:02 68,756,776 -------- c:\program files\iTunesSetup8.0.exe
2008-07-20 18:33 6,104,632 -------- c:\program files\picasaweb-current-setup.exe
2007-12-06 08:41 122,224 -------- c:\docume~1\robert\applic~1\JuniperSetup.exe
2007-06-24 15:28 732,795 -------- c:\program files\uploadr_2.5.0.15_en.exe
2007-03-17 22:24 37,860,928 -------- c:\program files\iTunesSetup.exe
2007-02-06 22:09 14,705,768 -------- c:\program files\DivXInstaller.exe
2007-01-26 12:30 760,708 -------- c:\program files\ac3filter_1_11.exe
2007-01-26 11:19 643,144 -------- c:\program files\XviD-1.1.2-01112006.exe
2007-01-08 19:09 9,826,960 -------- c:\program files\bitpim-0.9.10-setup.exe
2006-12-11 21:49 12,844,360 -------- c:\program files\SkypeSetup.exe
2006-12-03 14:28 9,798,617 -------- c:\program files\bitpim-0.9.08-setup.exe
2006-11-28 21:44 5,900,416 -------- c:\program files\Firefox Setup 2.0.exe
2006-11-25 22:58 14,879,120 -------- c:\program files\GoogleEarthWin.exe
2006-10-15 21:14 2,587,728 -------- c:\program files\ica32t.exe
2006-10-15 20:50 6,767,945 -------- c:\program files\cisco_files.exe
2006-07-08 13:56 59,310,760 -------- c:\program files\ipodsetup.exe
2006-07-04 13:56 3,080,915 -------- c:\program files\unh-pub-nec-previous.exe
2006-07-04 11:10 4,262,376 -------- c:\program files\rminstall.exe
2006-07-04 11:07 212,849 -------- c:\program files\hijackthis.zip
2006-07-04 00:58 3,080,915 -------- c:\program files\unh-sn-nec.exe
2006-06-30 17:38 54 -------- c:\program files\HydroCAD.txt
2006-04-24 18:08 17,823,932 -------- c:\program files\wintr20_inst.exe
2006-04-24 17:59 260,408 -------- c:\program files\tr20_ver204.zip
2006-03-01 19:52 1,337,895 -------- c:\program files\system47.zip
2005-12-28 17:40 9,495,816 -------- c:\program files\bitpim-0.8.04-setup.exe
2005-11-28 08:53 10,537,576 -------- c:\program files\zlsSetup_61_737_000_en.exe
2005-10-20 21:44 56,298,664 -------- c:\program files\iPodSetup_old.exe
2005-10-09 15:43 320,699 -------- c:\program files\tr55v21.exe
2005-10-05 21:33 9,346,664 -------- c:\program files\zlsSetup_60_667_000.exe
2005-09-26 17:53 9,237,789 -------- c:\program files\bitpim-0.7.36-setup.exe
2005-07-13 23:03 4,214 -------- c:\program files\readme.txt
2005-07-13 21:12 1,409,409 -------- c:\program files\system47 v2.2_setup.exe
2005-06-07 22:38 1,013,914 -------- c:\program files\album_themes.zip
2005-06-07 22:36 118,221 -------- c:\program files\album.zip
2005-03-16 19:50 6,670,952 -------- c:\program files\zlsSetup_55_062_011.exe
2004-10-03 20:52 19,625,449 -------- c:\program files\ysitebuilder.exe
2004-08-16 20:54 10,135,688 -------- c:\program files\MPSetupXP.exe
2004-03-03 21:49 3,785,884 -------- c:\program files\ephpod275.exe
2004-02-06 20:19 946 -------- c:\program files\SuperDAT.log
2004-02-06 20:18 5,764,138 -------- c:\program files\sdat4322.exe
2004-02-06 19:31 12,511,744 -------- c:\program files\VScan700.exe
2004-01-05 02:02 164 a---h--- c:\documents and settings\all users\hpothb07.dat
2003-12-31 18:41 1,125,803 -------- c:\program files\dvd2mpg116.zip
1992-04-14 00:00 60,815 -------- c:\documents and settings\robert\CONFIG.EXE
1991-12-16 00:00 44,515 -------- c:\documents and settings\robert\README.EXE
1986-04-15 00:00 7,040 -------- c:\documents and settings\robert\COVER.DAT
2003-12-09 01:35 4,343 ---sh--- c:\windows\rreg32.dll
2003-12-09 01:35 5,266 ---sh--- c:\windows\utapi32.dll

============= FINISH: 22:56:06.34 ===============

#6 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:12:57 AM

Posted 17 June 2009 - 08:10 AM

Hi robert wildey,

Did anything show up in the antivirus scan?

#7 robert wildey

robert wildey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 17 June 2009 - 06:57 PM

Here's what it found the first time out:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\pagefile.sys
[WARNING] The file could not be opened!
[NOTE] This file is a Windows system file.
[NOTE] This file cannot be opened for scanning.
C:\Program Files\Adobe\Illustrator CS\Templates\Marketing\Newsletter 3.ait
[DETECTION] Contains HEUR/HTML.Malware suspicious code

Beginning disinfection:
C:\Program Files\Adobe\Illustrator CS\Templates\Marketing\Newsletter 3.ait
[DETECTION] Contains HEUR/HTML.Malware suspicious code
[NOTE] The detection was classified as suspicious.
[NOTE] The file was moved to '4aaf3d59.qua'!


End of the scan: Tuesday, June 16, 2009 20:46
Used time: 1:04:05 Hour(s)

After deleting the quarantine file, it just finds the two Windows files that it can't open. Is this normal?

Thanks,
Robert

#8 Judicandus

Judicandus

    Bleepin' Pasta


  • Malware Response Team
  • 730 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Around the world
  • Local time:12:57 AM

Posted 18 June 2009 - 09:32 AM

Hi robert wildey,

Those two files are ok. They're in constant use by Windows therefore they're locked.

Your log looks clean!

Please read and follow Groovicus' Guide to Simple PC Security to help keep yourself from becoming infected again, as well as
How did I get infected?, With steps so it does not happen again!


If you want to improve speed/system performance after malware removal, take a look here.

#9 robert wildey

robert wildey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 29 June 2009 - 11:13 PM

Sounds good. I've been offline for a bit (switching ISPs) but things seem to be on track now that I'm back online. Thanks again for the help, and I'll read the articles you suggest.

Cheers,
Robert

#10 robert wildey

robert wildey
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:57 PM

Posted 06 July 2009 - 10:12 PM

Arggh. Back again - the log looks clean, and Avira is still running - but IE has returned to linking to random (pay) sites whenever you try to click on a link (such as from Google results). Is there another virus scan that I should try? Should I post a new log file? Thanks.

#11 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:57 PM

Posted 13 August 2009 - 07:05 AM

Sorry for the delay are you still in need of assistance.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:57 PM

Posted 04 September 2009 - 06:02 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users