Malware-gen, Trojan-gen and Advare-gen... plase, help!

Viruses and worms
21

First your HJT is out of date get version 2.02

“C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsv3.tmp\euladlg.dll” file. is a temp file
I’ll check it out but not to worry

what’s
ttD4.tmp.exe

nothing in the hjt jumps out at me

can you run MBAM rember to check all baddies then click REMOVE CHECKED
an antivirus scan
did we run an avast boot scan
if yes then run one of the on line scans like kaspersky
and run the later HJT? get it at major geeks

22

To open the avast Chest, right click the avast ‘a’ icon, select Start avast! Antivirus, Menu, Virus Chest. Click the Infected Files section, right click on the file you want to Export (copy) and select, you guessed it export. Now from the pop-up explorer style window navigate to the c:\suspect folder and select it, click OK that should send (export) a copy to that folder.

23

Thanks DavidR
That gets them to C:\suspicious- any way to batch upload to Virus total- I do not know of one
Jotti?

When those flashes hit it means something has gotten into your memory
you are not likely to find it easily
lots of routes these infections use flash-myspace-facebook- scripts etc

yesterday was MS Patch day
Today is a good day to run secunia software inspector and get everything up to date
I think you java was up to date but do not have time to check

anyway you are going to run update and run MBAM again and FIX CHECKED no more of this “no action taken” stuff

New Spybot update today- many of which target your problem
also
big new SAS update today - at last 25 target your area

post back with the latest HJT done after the above

Incidentally we RAN SDFIX on a system that I thought we had pretty much cleaned up and if found something so well do that too maybe tomorrow after I see the logs

24

No you can only upload one file at a time.

I guess it would be possible to send an email with a zip of multiple samples, but I don’t know how they would process this if they would be able to deal with the samples individually or if you would just get a report on the one file, the zip.

25

OK, here we go!
I ran the Avast boot time scan yesterday, before the other 2 scans.
Anyway, today when I switched on the computer, the fake “Antivirus XP 2000 licence agreement” popped up again (but no strange desktop at least). I didn’t touch it.

Then I scanned with MBAM (meanwhile Avast alerted me about detecting “C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsv3.tmp\euladlg.dll” - moved it to chest) and I removed the “baddies”. Here’s the log:

Malwarebytes’ Anti-Malware 1.28
Database version: 1136
Windows 5.1.2600 Service Pack 2

10/09/2008 15:58:43
mbam-log-2008-09-10 (15-58-43).txt

Scan type: Full Scan (C:|)
Objects scanned: 113836
Time elapsed: 1 hour(s), 34 minute(s), 4 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 26

Memory Processes Infected:
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp.exe (Rogue.Installer) → Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\inrhc7v1j0el5v (Trojan.FakeAlert) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\scrnsave.exe (Hijack.Wallpaper) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp.exe (Rogue.Installer) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp (Rogue.Installer) → Quarantined and deleted successfully.
C:\WINDOWS\system32\casino1.ico (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\casino2.ico (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\casino3.ico (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsspopup.dll (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsspopup1.url (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsspopup2.url (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdsspopup3.url (Malware.Trace) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Desktop\Jowita Kaminska - Peruzzi.doc (Trojan.Extension.Exploit) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt15.tmp (Trojan.Agent) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt4.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt5.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt6.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt7.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt8.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.tt9.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttA.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttB.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttC.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttD.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttE.tmp (Trojan.Downloader) → Quarantined and deleted successfully.
C:\Documents and Settings\Jowita\Local Settings\Temp.ttF.tmp (Trojan.Downloader) → Quarantined and deleted successfully.

It took off the “Antivirus XP…” window too.

26

Then the online scan with Kaspersky (it prompted me to turn off Avast for the time of the scan) - it found only 1 infected object:

KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, September 10, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, September 10, 2008 13:23:35
Records in database: 1207106

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 79923
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:25:15

File name / Threat name / Threats count
C:\WINDOWS\Temp\TDSS57e0.tmp Infected: Trojan-Downloader.Win32.Small.aczp 1

The selected area was scanned.

So… I guess no “bulk uploading” is necessary now anymore. Looks like the evil files were taken care of except for one.

27

And Hijackthis log (in 4 parts, it was too long again):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:42:03, on 10/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\WinShrink\AutoJob.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcrobatInfo.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

28

Hijackthis log continued:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f324.mail.yahoo.com/ym/ShowFolder?rb=Inbox&reset=1&YY=75361&y5beta=yes&y5beta=yes&inc=25&order=down&sort=date&pos=-1&view=a&head=b&box=%40B%40Bulk&YN=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM..\Run: [OpwareSE2] “C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe”
O4 - HKLM..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM..\Run: [ATIPTA] “C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Acrobat Assistant 7.0] “C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe”
O4 - HKLM..\Run: [WinShrink] C:\Program Files\WinShrink\AutoJob.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Avvio veloce di Adobe Acrobat.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: SATARaid.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: bw+0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

29

Hijackthis log part 3:

O18 - Protocol: bw10 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

30

Hijackthis log part 4:

O18 - Protocol: bwk0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {1550CCBB-AF29-4F39-8B6F-557FDB86A01C} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe


End of file - 21608 bytes

31

What should I do next?

Still necessary to create a “Suspect” folder and send to it the file that Kaspersky detected to upload it to Virus Total? That is: C:\WINDOWS\Temp\TDSS57e0.tmp

And I noticed that Hijackthis has an option “Analyze This” - upload to TrendSecure…

Is there anything I need to remove (fix?) from Hijackthis log?

From what I see from the Avast Warning log, this Win32:Adware-gen [Adw] keeps coming back with a little bit changed .tmp name every time:
C:\DOCUME~1\Jowita\LOCALS~1\Temp\nsd3.tmp\euladlg.dll

And what kind of harm could all this stuff have done to my system, files and security in general? Is it maybe necessary to change some passwords?

32

Darn
I typed up a reply and did not click send

HJT is out of date should be ver 2.02
however I did not see anything major in it

SAS seems to have done it’s job however many new definitions today which target your problem
ditto with Spybot Search and Destroy

this infection runs out of temp in memory unless you click on it and as you said clicking the x could be bad
reboot removes from memory - but eventually we want to prevent it

yesterday was ms patch day so today is a good day to run secunia software inspector and get up to date
updated flash and java are a must

Run the MAlware Bytes Anti Malware free update and run the quick scan
check any baddies
then click REMOVE CHECKED
post log

more detailed instructions from DavidR
MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. Also Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php

when you get time update SAS and run it again
also a tip from DavidR – unhide files and folders
The file should still be there in safe mode it it if present in normal mode, but may be hidden.

  • Ensure that you have SHOW hidden files and folders enabled
    and
    disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders
    post log

If you have time download install SPybot SEarch and destroy- get the real one from safernetworking
update, immunize and run a scan send any hits to quarantine

post up any logs you get by later today with a fresh HJT and I’ll take a deeper look at it
there was one item tt4 something if you can scan down and find it -do you know what it is?

This threat is fast evolving as are the fixes
another poster just found something with the latest SAS that MBAM had missed *or it could have been new) and another one found something with HDFIX that all of the above had missed

After we have the current infection under control here is the long range plan
run any of the scans currently planned but not yet done SBS&D, SAS, MBAM
run an on line AV scan if we are still finding things if not then Kaspersky again to see if whatever it found is gone
RUN SDFIX _which also checks for rootkits another way
then get the prevention in order

Install spywareblaster if you do not have it
Hosts file
clean up
defrag
new restore points

I’ll look at the kaspersky when I get back but going to virus total and uploading the file could not hurt

DO NOT FIX ANYTHING YET
you could click the ANalyze this button but do not DO ANYTHING- just ask questions
YOu can NUKE your whole system easily with HJT

THis this thing is polymorphic so the id’s change
if you update avast and run an AVast scan right before or after the next HJT -well let’s see if everythings gone
ps that’s why we are going to run SDFIX once we id any other problems lurking - gotta get the fire knocked down first

Changing passwords is always a good idea but your files in general should be fine

33

The last log IS from Hijackthis ver 2.02 (it’s also written before the log). I had uninstalled the previous version and downloaded the newest from download.com before running it the last time.

34

Yep I just saw that big HJT and did not realize my post was ABOVE it
Nice work

need to do that Secunia software inspector thing
A newer version of service pack is available. Service packs increase the safety of your system.
Visit Microsoft’s windowsupdate site to download the newest version of the service pack.

what’s this ??? google it if unsure
O4 - HKLM..\Run: [WinShrink] C:\Program Files\WinShrink\AutoJob.exe

This - from your first HJT- appears to be gone LOOKS AS IF MBAM GOT IT YEAH
O4 - HKLM..\Run: [inrhc7v1j0el5v] C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp.exe /CR=E378D6B80573F693830D714814CC3DF879014EACA4D2E8B35AF5A165F918A5C046925CE4A0B1C6C440E04BEAE8

In general your HJT looks good- perhaps Polonus will look at it

I’d run CCLeaner and get rid of the temp files which should get that file in temp

no reason to run MBAM again today but SAS would be nice if you have the time with the updated definitions
Spybot also
we might try
still lots to do
I have to run out
HJT is NOT a magic bullit find everything tool

on the Kaspersky hit Downloader.Win32.Small.aczp
Avast detects as Win32:Trojan-gen. {Other} which is not specific enough to tell if we really got it
that’s also for Trojan-Downloader.Win32.Small.ACP without the z

so do upload it to virus total – the z may be uniuque so we gota watch this one

lets see if it is gone after today’s go around but I think you are correct in your assessment

here is the link for SDFIX instructions
run it after youve done a couple of other scans
http://www.bleepingcomputer.com/forums/topic131299.html
follow the instructions exactly

35

It is also worth running another avast scan after the removal of other malware, which might have been hiding other files.

36

Hi about your HJT logfile,

What is this?
O4 - HKLM..\Run: [inrhc7v1j0el5v] C:\Documents and Settings\Jowita\Local Settings\Temp.ttD4.tmp.exe /CR=E378D6B80573F693830D714814CC3DF879014EACA4D2E8B35AF5A165F918A5C046925CE4A0B1 C6C440E04BEAE850806298C869E27952D0D2485F83E16760C56FAF5EF1FF71258C82CEECBF506939 1FCA20

I would like a SDFix being run, and look whether any of these system32 files are there:

C:\WINDOWS\system32\cmds.txt -
C:\WINDOWS\system32\dpl.txt -
C:\WINDOWS\system32\drivers\tdssserv.sys -
C:\WINDOWS\system32\tdssadw.dll -
C:\WINDOWS\system32\tdssinit.dll -
C:\WINDOWS\system32\tdssl.dll -
C:\WINDOWS\system32\tdsslog.dll -
C:\WINDOWS\system32\tdssmain.dll -
C:\WINDOWS\system32\tdssservers.dat -
C:\WINDOWS\system32\drivers\bd6b6435.sys -

polonus

37

SAS seems to have done it’s job however many new definitions today which target your problem
ditto with Spybot Search and Destroy

— So do I have to download/install yet another anti-spyware software? Won’t it collide with the 2 that I already have? I guess later I should leave only 1… Which one is supposed to be the best?

yesterday was ms patch day so today is a good day to run secunia software inspector and get up to date

— What is this secunia software inspector? How do I get/run it?

updated flash and java are a must

— I guess Java and Flash are up to date, because if they aren’t, they usually nag for an update.
And so does Firefox - wants to update to version 3, but I don’t want it. I even tried some time ago, but it failed for some reason.
And my husband (who works on Mac) had updated Mozilla to the version 3, but it kept crashing, would not even open (so he had to return to the previous version), so I don’t need that.

Also the MS Windows updates failed 2 weeks ago or so, so now I ignore the suggestions to install them.

38

*** Here’s the new MALWAREBYTES quick scan log:

Malwarebytes’ Anti-Malware 1.28
Database version: 1137
Windows 5.1.2600 Service Pack 2

10/09/2008 20:06:14
mbam-log-2008-09-10 (20-06-14).txt

Scan type: Quick Scan
Objects scanned: 41410
Time elapsed: 3 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Jowita\Desktop\Jowita Kaminska - Peruzzi.doc (Trojan.Extension.Exploit) → Quarantined and deleted successfully.

Actually that was a file I didn’t need anymore - it was sent to me as an attachment (I use Yahoo, strange that it didn’t detect anything). I could have simply deleted it and emptied the trash.
BUT it’s not the same file in which Kaspersky detected a trojan (that was a temp).

39

*** The last SAS quick scan log (from a fast scan… and later I checked: hidden files and folders had already been set to “show”, but “Hide protected operating system files (Recommended)” was on):

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/10/2008 at 09:02 PM

Application Version : 4.21.1004

Core Rules Database Version : 3562
Trace Rules Database Version: 1550

Scan type : Quick Scan
Total Scan Time : 00:08:57

Memory items scanned : 455
Memory threats detected : 0
Registry items scanned : 359
Registry threats detected : 0
File items scanned : 5949
File threats detected : 5

Adware.Tracking Cookie
C:\Documents and Settings\Jowita\Cookies\jowita@ads.pointroll[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@insightexpressai[1].txt
C:\Documents and Settings\Jowita\Cookies\jowita@ad.yieldmanager[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@bluestreak[2].txt
C:\Documents and Settings\Jowita\Cookies\jowita@atdmt[2].txt

Quarantined or removed successfully, at least it read so.

*** ROUGE REMOVER did not detect any items.

*** I see that AVAST online scan is only for single files, not for scanning the system.

*** I downloaded and installed SDFix, (edit: sorry, I haven’t noticed your other post with the link to the instruction - I’ll run it now.)

40

*** HIJACKTHIS log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37:59, on 10/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\sstray.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\WinShrink\AutoJob.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f324.mail.yahoo.com/ym/ShowFolder?rb=Inbox&reset=1&YY=75361&y5beta=yes&y5beta=yes&inc=25&order=down&sort=date&pos=-1&view=a&head=b&box=%40B%40Bulk&YN=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157