Virus... please help

system · October 16, 2007, 10:31pm

Here I am once again! : My brother came to me and said “I think I downloaded a virus or something”. GRRR >:( So I get on and sure enough it seems to be the same kind of problems I was having before (popups, running slow, & Avast warnings). I tried fixing it myself off of the post before, but I don’t think it’s working
NOTE I am keeping Java up to date so that’s not the problem!

Logfile of HijackThis v1.99.1
Scan saved at 3:30:16 PM, on 10/16/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\HijackThis\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

oldman960 · October 16, 2007, 11:44pm

Hi

The last time, you were asked to change the name of hijackthis.exe to hijacktryan.exe I believe they suspected vundo. Could you do this again, as vundo is capable of hiding from highjackthis.exe?

system · October 16, 2007, 11:58pm

Here I am once again!

You been missing us ! :)

Can you post a sample of the warnings from the avast! log? What sort of popups are you getting - what do they look like or what are they advertising? Do they occur at all times or only when you’re online?

This line is a little “iffy”

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

I decided to leave it alone last time and if you’ve been trouble free until recently we can still leave it. But if you’ve had popups for a while now its time to get rid of it.

system · October 17, 2007, 12:59am

Can you post a sample of the warnings from the avast! log? What sort of popups are you getting - what do they look like or what are they advertising? Do they occur at all times or only when you're online?
This line is a little “iffy”

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab

I decided to leave it alone last time and if you’ve been trouble free until recently we can still leave it. But if you’ve had popups for a while now its time to get rid of it.

I’m getting multiple Avast! warnings saying Trojan was found. It all started when my brother was downloading something. He got the Avast! warning saying to abort connection because a virus was detected or something of the sort. He didn’t because he thought it wasn’t really a virus… not really sure why he thought that. Then I get online and I’m getting WinAntiVirus ads and then some dating and porn type pop-ups. I saw a unfamiliar program called WinAble so I tried to get rid of it. I got rid of it but the pop-ups and strange activity were still there.

Below is the renamed hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:49:58 PM, on 10/16/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HijackThis\hijacktryan.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM..\Run: [EPSON Stylus CX5800F Series] C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.EXE /P27 “EPSON Stylus CX5800F Series” /O6 “USB001” /M “Stylus CX5800F”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKCU..\Run: [P2kAutostart] C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://mirs.peoplepc.com/?offername=PeoplePC Security Plus&userName=wettgremlin_91&firstName=Paul&qs=FHJBFDPGOIDNEHCKGLPAMFEOHAHECKGJLJLGBLNIBMDACKJIIDMFELKDOIDHHMMFCIBGIPPPFFKGBGKMOHJIIFIGHFPJEGAGPNMHLFBKINPKMLBBAEEEJJKDJALCPBCP|MMCNNMBFDGNMCNOPADEEAAGOBAFDF
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186780356336
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1187926666522
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab?
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

DavidR · October 17, 2007, 1:42am

Mauserme is looking for detailed examples (at least that is what I think), e.g. (malware name, C:\windows\system32\infected-file-name.xxx) ? Check the avast! Log Viewer (right click the avast ‘a’ icon), Warning section, this contains information on all avast detections.

Then I get online and I'm getting WinAntiVirus ads and then some dating and porn type pop-ups.

The winantivirus is scum/scam/rogue-ware.
Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php.

Your HJT is an old version, 2.0.0.2 is the latest, FileHippo Download - HiJackThis.

You still don’t appear to have an active firewall, you really are fighting an uphill battle trying to keep your system clean if you have no outbound protection. Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

Two unknowns, do you recognise them, e.g. did you install them ?
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab

system · October 17, 2007, 2:21am

I have Windows firewall, is that not good enough? I had a third party firewall, but it wouldn’t let me do anything without popping up warnings and I didn’t have the slightest clue as to what was ok and what wasn’t.

Two unknowns, do you recognise them, e.g. did you install them ? O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab

The second one (http://cvs.pnimedia.com/upload/activex/v2_0_0_10/PCAXSetupv2.0.0.10.cab) I installed, but I don’t know about the first one, it’s not familiar to me.

HERE IS EVERYTHING THAT WAS UNDER THE WARNING SECTION:

10/8/2007 10:33:03 AM Tara & Paul 1488 AAVM - scanning warning: x_AavmCheckFileDirectEx [UNI]: F:\DCIM\100SSCAM\S2010001.JPG (F:\DCIM\100SSCAM\S2010001.JPG) returning error, 0000001E.
10/12/2007 5:26:02 PM SYSTEM 1508 Function setifaceUpdatePackages() has failed. Return code is 0xC0000142, dwRes is C0000142.
10/12/2007 5:26:04 PM SYSTEM 1508 An error has occured while attempting to update. Please check the logs.
10/13/2007 8:57:27 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.exe” file.
10/13/2007 8:57:55 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\WebfettiInitialSetup1.0.0.15-3[1].exe” file.
10/13/2007 8:58:22 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\WebfettiInitialSetup1.0.0.15-3[1].exe” file.
10/13/2007 8:59:34 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15-3.exe” file.
10/13/2007 8:59:37 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\CursorManiaFWBInitialSetup1.0.0.15-3[1].exe” file.
10/13/2007 8:59:45 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\BERLDXVF\CursorManiaFWBInitialSetup1.0.0.15-3[1].exe” file.
10/13/2007 9:01:59 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.exe” file.
10/13/2007 9:02:07 PM SYSTEM 1384 Sign of “Win32:Dialer-gen. [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\HBZ53D30\WebfettiInitialSetup1.0.0.15-3[1].exe” file.
10/13/2007 9:04:00 PM SYSTEM 1384 Sign of “Win32:Spyware-gen. [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE” file.
10/13/2007 9:04:23 PM SYSTEM 1384 Sign of “Win32:Spyware-gen. [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE” file.
10/13/2007 9:04:50 PM SYSTEM 1384 Sign of “Win32:Spyware-gen. [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE” file.
10/13/2007 9:06:01 PM SYSTEM 1384 Sign of “Win32:Spyware-gen. [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\MWSSRCSP.EXE” file.
10/13/2007 9:20:21 PM SYSTEM 1384 Sign of “Win32:Trojano-2873 [trj]” has been found in “C:\WINDOWS\system32\comms2\dnwldr132.exe” file.
10/13/2007 9:20:51 PM SYSTEM 1384 Sign of “Win32:Adloader-KH [trj]” has been found in “C:\Program Files\TTC.dll” file.
10/13/2007 9:22:56 PM SYSTEM 1384 Sign of “Win32:Winfixer-F [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\EJWRNK9W\wintavsnet[1].exe” file.
10/13/2007 9:23:02 PM SYSTEM 1384 Sign of “Win32:Winfixer-F [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\wintavsnet.exe” file.
10/14/2007 9:31:30 AM Tara & Paul 1576 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\0PGLYZQ7\lkjh[1]” file.
10/14/2007 6:49:40 PM SYSTEM 1532 Sign of “Win32:Downloader-KK [trj]” has been found in “http://download.cdn.winsoftware.com/files/installers/cab/WinAntiVirusPro2007FreeInstall.cab\UWA7P_0001_N99M2908NetInstaller.exe” file.
10/14/2007 6:51:11 PM SYSTEM 1532 Sign of “Win32:Downloader-KK [trj]” has been found in “http://download.cdn.winsoftware.com/files/installers/WinAntiVirusPro2007FreeInstall.exe” file.
10/14/2007 6:51:25 PM SYSTEM 1532 Sign of “Win32:Spyware-gen. [trj]” has been found in “http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab\USDR6_0001_D19M2108NetInstaller.exe” file.
10/15/2007 9:34:45 AM Tara & Paul 1092 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0E05C9DA.” file.
10/15/2007 9:40:13 AM Tara & Paul 1092 Sign of “Win32:Tiny-JC [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0FC1586B.” file.
10/15/2007 9:40:20 AM Tara & Paul 1092 Sign of “Win32:Vundo-gen47 [Adw]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP4DED9C87.dll” file.
10/15/2007 9:40:22 AM Tara & Paul 1092 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP596FE1DD.” file.
10/15/2007 9:40:26 AM Tara & Paul 1092 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APF074E6F8.” file.
10/15/2007 10:02:55 AM Tara & Paul 1588 Sign of “Win32:Agent-LAP [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\0PGLYZQ7\valera[1]” file.
10/15/2007 10:04:30 AM Tara & Paul 1588 Sign of “Win32:Agent-LAP [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\txnkxnfj.exe” file.
10/15/2007 10:04:40 AM Tara & Paul 1588 Sign of “Win32:Agent-LAP [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\txnkxnfj.exe” file.
10/15/2007 10:35:57 AM Tara & Paul 1524 Sign of “Win32:Agent-LAP [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\skfblqlk.exe” file.
10/15/2007 10:38:39 AM Tara & Paul 1524 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\T5QO8S0R\lkjh[1]” file.
10/15/2007 11:10:13 AM Tara & Paul 1532 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\FYZ9STLM\lkjh[1]” file.
10/15/2007 6:33:07 PM SYSTEM 1592 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\SM5K8W5J\lkjh[1]” file.
10/15/2007 7:52:04 PM SYSTEM 1592 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\ynchftjq.exe” file.
10/15/2007 9:20:52 PM SYSTEM 1592 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\ynchftjq.exe” file.
10/15/2007 9:20:54 PM SYSTEM 1592 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\WINDOWS\system32\ynchftjq.exe” file.
10/15/2007 9:28:13 PM SYSTEM 1592 Sign of “Win32:Agent-LAP [trj]” has been found in “C:\Documents and Settings\Tara & Paul\Local Settings\Temporary Internet Files\Content.IE5\FYZ9STLM\valera[1]” file.
10/15/2007 9:29:56 PM SYSTEM 1592 Sign of “Win32:Agent-LAP [trj]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\lxilikat.exe” file.
10/16/2007 3:38:50 PM Tara & Paul 320 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0E05C9DA.” file.
10/16/2007 3:39:04 PM Tara & Paul 320 Sign of “Win32:Tiny-JC [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP0FC1586B.” file.
10/16/2007 3:39:24 PM Tara & Paul 320 Sign of “Win32:Vundo-gen47 [Adw]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP4DED9C87.dll” file.
10/16/2007 3:39:24 PM Tara & Paul 320 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\AP596FE1DD.” file.
10/16/2007 3:39:24 PM Tara & Paul 320 Sign of “Win32:Tiny-IF [trj]” has been found in “C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\APF074E6F8.” file.
10/16/2007 4:39:16 PM Tara & Paul 320 Sign of “Win32:Vundo-gen47 [Adw]” has been found in “C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025826.dll” file.

system · October 17, 2007, 2:37am

Download Smitfraudfix from Here or Here. Double-click smitfraudfix.exe, Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually).

Double-click smitfraudfix.exe, Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. A reboot may be needed to finish the cleaning process.

To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a “RiskTool”. It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between “good” and “malicious” use of such programs, therefore they may alert the user.

Next download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and the SmitFraudFix log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

oldman960 · October 17, 2007, 3:09am

Well, It’s better than nothing. The only problem with windows firewall, is no outbound protection. Anything on your computer can gain internet access unchallenged. Downloaders can open backdoors and bring their buddies on in for visit. :o

DavidR · October 17, 2007, 12:21pm

@ tryan21
Windows XP’s firewall is better than no firewall but, it lulls you into a false sense of protection, it doesn’t provide outbound protection.

Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.

Re the O16 DPF entries, as mauserme gives the good technical advice that the first one is a bit iffy ;D and you didn’t install it I would also say to fix it. The second if you know its purpose and installed it no problem.

system · October 17, 2007, 4:52pm

Mauserme I’m not sure if you wanted the smitfraudfix report, but here it is:

SmitFraudFix v2.240

Scan done at 9:48:37.28, Wed 10/17/2007
Run from
C:\Documents and Settings\Tara & Paul\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atievxx.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\TARA

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
“Source”=“About:Home”
“SubscribedURL”=“About:Home”
“FriendlyName”=“My Current Home Page”

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler’s .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
“AppInit_DLLs”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
“System”=“”

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Motorola SURFboard SB5100 USB Cable Modem #2 - Packet Scheduler Miniport
DNS Server Search Order: 68.105.28.12
DNS Server Search Order: 68.105.29.12
DNS Server Search Order: 68.105.28.11

HKLM\SYSTEM\CCS\Services\Tcpip..{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip..{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS2\Services\Tcpip..{2AD54E64-CF6F-4D17-876E-5B9A5215E2BD}: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=68.105.28.12 68.105.29.12 68.105.28.11

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

system · October 17, 2007, 5:08pm

Thanks - I did want to see the log.

There’s no need to continue with steps 2 and 3 with SmitFraudFix but do run ComboFix.

system · October 17, 2007, 8:04pm

[b]Although the popups haven’t happened lately, when I did an Avast! and BitDefender scan it said I was still infected. So, I’m not sure whats really going on… maybe BitDefender removed all infections?

Below is ComboFix log:[/b]

ComboFix 07-10-17.8 - Tara & Paul 2007-10-17 10:10:25.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.48 [GMT -7:00]
Script execution time was exceeded on script “C:\ComboFix\osid.vbs”.
Script execution was terminated.
Running from: C:\Documents and Settings\Tara & Paul\Desktop\ComboFix.exe

Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-17 09:48 2,244 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-17 09:38 d-------- C:\Program Files\Trend Micro
2007-10-16 14:32 d-------- C:\VundoFix Backups
2007-10-16 09:51 C:\Documents and Settings\Tara 2007-10-16 09:51 Paul\Application Data\Help
2007-10-16 09:16 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 09:23 d-------- C:\WINDOWS\pss
2007-10-13 21:20 d-------- C:\WINDOWS\system32\que1
2007-10-13 21:20 d-------- C:\WINDOWS\system32\comms2
2007-10-07 09:31 C:\Documents and Settings\Tara 2007-10-07 09:31 Paul\Application Data\AccurateRip
2007-10-07 09:31 4,229,496 --a------ C:\WINDOWS\system32\SpoonUninstall.exe
2007-10-07 09:30 d-------- C:\Program Files\Illustrate
2007-10-04 15:00 d-------- C:\Program Files\Java
2007-10-04 14:57 d-------- C:\Program Files\Common Files\Java
2007-10-03 10:56 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-09-27 08:00 d-------- C:\Program Files\Common Files\Authentium Shared
2007-09-24 13:18 C:\Documents and Settings\Tara 2007-09-24 13:18 Paul\Application Data\Yahoo!
2007-09-24 13:10 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-09-24 13:03 d-------- C:\Program Files\Yahoo!
2007-09-23 11:15 d-------- C:\Documents and Settings\All Users\Application Data\Eset
2007-09-23 11:06 d-------- C:\Program Files\SpywareBlaster
2007-09-21 09:17 28,680 --a------ C:\WINDOWS\system32\drivers\epfwtdir.sys
2007-09-21 09:15 33,288 --a------ C:\WINDOWS\system32\drivers\eamon.sys
2007-09-21 09:15 25,096 --a------ C:\WINDOWS\system32\drivers\easdrv.sys
2007-09-20 14:33 d-------- C:\Program Files\Common Files\Download Manager
2007-09-20 10:50 d-------- C:\WINDOWS\SxsCaPendDel
2007-09-19 19:15 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-19 19:14 d-------- C:\Program Files\SUPERAntiSpyware
2007-09-19 19:14 C:\Documents and Settings\Tara 2007-09-19 19:14 Paul\Application Data\SUPERAntiSpyware.com
2007-09-19 19:12 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 10:15 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-09-19 09:52 d-------- C:\Program Files\RogueRemover FREE

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-13 13:35 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-12 22:00 --------- d-----w C:\Program Files\Norton Security Scan
2007-10-08 18:54 --------- d-----w C:\Program Files\mobile PhoneTools
2007-10-08 18:54 --------- d-----w C:\Program Files\LiveUpdate
2007-10-07 16:31 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\AccurateRip
2007-10-03 17:56 --------- d-----w C:\Program Files\Coupons
2007-09-25 23:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-25 17:16 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Yahoo!
2007-09-23 19:16 --------- d-----w C:\Program Files\Google
2007-09-20 02:14 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\SUPERAntiSpyware.com
2007-09-09 07:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:05 94,416 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-06 10:05 92,848 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-06 10:03 23,152 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-06 10:02 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 10:00 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-08-31 04:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-31 04:05 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\CyberLink
2007-08-26 23:17 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-08-19 03:11 --------- d-----w C:\Documents and Settings\Tara & Paul\Application Data\Ahead
2007-08-19 03:09 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-18 17:58 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-18 17:34 --------- d-----w C:\Program Files\Nero
2007-08-18 17:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-08-18 17:10 --------- d-----w C:\Program Files\CyberLink
2007-07-31 02:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-16_ 9.36.09.50 )))))))))))))))))))))))))))))))))))))))))
.

2007-08-15 17:13:10 181,248 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

2007-10-16 17:14:41 181,760 ----a-w C:\WINDOWS\BDOSCAN8\bdcore.dll

2007-10-16 16:18:25 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat

2007-10-17 17:10:18 274,432 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
2007-10-17 17:03:07 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_5cc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“WatchDog”=“C:\Program Files\mobile PhoneTools\WatchDog.exe” [2007-09-07 18:42]
“EPSON Stylus CX5800F Series”=“C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\E_FATIALA.exe” [2005-05-09 22:00]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-09-06 03:06]
“NeroFilterCheck”=“C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe” [2007-09-07 18:42]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“P2kAutostart”=“C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-19 16:29]
“BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}”=“C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe” [2006-12-23 18:05]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06]
“Aim6”=“”

[HKEY_USERS.default\software\microsoft\windows\currentversion\run]
“MySpaceIM”=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys
R3 cwrwdm;SoundFusion™ WDM Driver;C:\WINDOWS\system32\DRIVERS\cwrwdm.sys
S3 AWINDIS5;AWINDIS5 Protocol Driver;??\C:\WINDOWS\system32\AWINDIS5.SYS
S3 PRISM_ICB;NETGEAR WG511 Wireless LAN Driver;C:\WINDOWS\system32\DRIVERS\WG511ICB.sys

.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-12 23:44:20 C:\WINDOWS\Tasks\Norton Security Scan.job”
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-17 10:13:32
Windows 5.1.2600 Service Pack 2, v.2096 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = C:\Documents and Settings\Tara & Paul\My Documents\P2kCommanderV330\P2kAutostart.exe?0???

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2007-10-17 10:14:57
C:\ComboFix2.txt … 2007-10-16 09:37
.
— E O F —

oldman960 · October 17, 2007, 8:11pm

What where the files and what where they detected as?

system · October 17, 2007, 10:19pm

Here is a warning I just got from Avast!

10/17/2007 2:19:43 PM Tara & Paul 1484 Sign of “Win32:Vibpack [Wrm]” has been found in “C:\DOCUME~1\TARA&P~1\LOCALS~1\Temp\tmp00001662\tmp00005d0d” file.

Here is the bitdefender report…
BitDefender Online Scanner

Scan report generated at: Wed, Oct 17, 2007 - 15:11:41

Scan path: A:;C:;D:;G:;

Statistics

Time
00:55:08

Files
96001

Folders
2972

Boot Sectors
2

Archives
1591

Packed Files
5330

Results

Identified Viruses
1

Infected Files
1

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
1

Engines Info

Virus Definitions
827053

Engine build
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)

Scan plugins
14

Archive plugins
38

Unpack plugins
7

E-mail plugins
6

System plugins
1

Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions

Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes

Scanned File
Status

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)=>zlib_nsis0003
Detected with: Adware.TTC.B

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)=>zlib_nsis0003
Disinfection failed

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)=>zlib_nsis0003
Deleted

C:\System Volume Information_restore{079945FA-0F86-4538-9B5B-94B9C89AC71A}\RP141\A0025818.exe=>(NSIS o)
Update failed

Lisandro · October 17, 2007, 11:45pm

I suggest:

Disable System Restore on Windows ME or Windows XP. System Restore cannot be disabled on Windows 9x and it’s not available in Windows 2k. After boot you can enable System Restore again.

Clean your temporary files. You can use CleanUp or the Windows Advanced Care features for that.

Run avast and other antispywares scannings.

system · October 18, 2007, 1:09am

I think you’ve handled the initial problem(s) pretty well on your own Tara. You have a clean HJT log except for the “iffy” line I mentioned earlier. Since you don’t know it we’ll take care of it.

SmitFraudFix found nothing so possibly you ran Rogue Remover, SuperAntiSpyware or something else that got rid of it (I see recently installed ESET drivers in your ComboFix log).

And there are just a couple files in the ComboFix log I’ll ask you to check at Virus Total and post the results (I think you’ve done this before)

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\SpoonUninstall.exe

In regard to the worm, it seems like it might be related to P2P but I don’t see any P2P applications in your log. Does your brother download?

system · October 18, 2007, 8:55pm

File tmp.reg received on 10.18.2007 21:57:36 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information…
Your file is queued in position: 6.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 -
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.17 -
AVG 7.5.0.488 2007.10.18 -
BitDefender 7.2 2007.10.18 -
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.18 -
Fortinet 3.11.0.0 2007.10.18 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.18 -
Ikarus T3.1.1.12 2007.10.18 -
Kaspersky 7.0.0.125 2007.10.18 -
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.18 -
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 -
Prevx1 V2 2007.10.18 -
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.18 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.18 -
Additional information
File size: 2244 bytes
MD5: 64c818e4fa8a71677d3fea717ae51cbf
SHA1: 8a8008a1d2a138eb5897cfaa4b507bc9a34bf686
packers: Unicode
packers: Unicode

system · October 18, 2007, 9:19pm

I Disabled System Restore like Tech suggested, but the pop ups just started again.

File SpoonUninstall.exe received on 10.18.2007 22:58:52 (CET)
Current status: Loading … queued waiting scanning finished NOT FOUND STOPPED

Result: 1/32 (3.13%)
Loading server information…
Your file is queued in position: 4.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they’re generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click “request” so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2007.10.19.0 2007.10.18 -
AntiVir 7.6.0.27 2007.10.18 -
Authentium 4.93.8 2007.10.18 -
Avast 4.7.1051.0 2007.10.18 -
AVG 7.5.0.488 2007.10.18 -
BitDefender 7.2 2007.10.18 -
CAT-QuickHeal 9.00 2007.10.18 -
ClamAV 0.91.2 2007.10.17 -
DrWeb 4.44.0.09170 2007.10.18 -
eSafe 7.0.15.0 2007.10.15 -
eTrust-Vet 31.2.5220 2007.10.18 -
Ewido 4.0 2007.10.18 -
FileAdvisor 1 2007.10.18 -
Fortinet 3.11.0.0 2007.10.18 -
F-Prot 4.3.2.48 2007.10.18 -
F-Secure 6.70.13030.0 2007.10.18 -
Ikarus T3.1.1.12 2007.10.18 -
Kaspersky 7.0.0.125 2007.10.18 -
McAfee 5144 2007.10.18 -
Microsoft 1.2908 2007.10.18 -
NOD32v2 2601 2007.10.18 -
Norman 5.80.02 2007.10.18 -
Panda 9.0.0.4 2007.10.18 -
Prevx1 V2 2007.10.18 Heuristic: Suspicious Hijacker
Rising 19.45.32.00 2007.10.18 -
Sophos 4.22.0 2007.10.18 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.18 -
TheHacker 6.2.9.097 2007.10.18 -
VBA32 3.12.2.4 2007.10.17 -
VirusBuster 4.3.26:9 2007.10.18 -
Webwasher-Gateway 6.6.1 2007.10.18 -
Additional information
File size: 4229496 bytes
MD5: 229968985617a21fdf492ad31f9013b8
SHA1: 57e6abbc0784af4d4f147a721af8e40572552702
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=BB2191B578ADB5DD8920401F9B924F0070EB4A30

system · October 18, 2007, 11:16pm

author=tryan21 link=topic=30982.msg257244#msg257244 date=1192742379] ... the pop ups just started again

Is it still WinAntiVirus, dating and such or something new now? If you go to sites you don't normally visit do the ads seem to go along with the subject of the new sites? Try some gardening or vehicle repair sites (or anything) to see if the ads change topic.

system · October 19, 2007, 12:33am

If you don’t mind I would like to try a new program (new for me - its been in use in France for almost a year) that targets a rootkit adware with symptoms similar to yours.

Please download Navilog1 by IL-MAFIOSO:

http://perso.orange.fr/il.mafioso/Navifix/Navilog1.zip

Extract its contents to the desktop.
Double click on navilog1.exe to install it on your computer.
When the installation is complete, the tool will start automatically.
If it doesn’t start automatically, please double click on Navilog1 shortcut on your desktop to run it.
Press E for English from the language Menu.
Type 1 in the next Menu to select Search and press Enter.
Wait for the Scan to finish (It may take a reasonable amount of time)
Press any key as requested .
A new document will be produced: fixnavi.txt.
Please copy/paste the contents of this report in your next reply.
The report is also saved in the root of the directory, “%SystemDrive% ixnavi.txt”. (usually C: ixnavi.txt)

Please don’t use any options other than #1 or Q(uit) for now.

Follow this with a WinPFind3U log:

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the log back here, all the way to the < End of Report > marker (it will tke several posts).

Virus... please help

Announcements