[Closed] Am I Infected Again?

Welcome! Register for a free account (or login) > How does it work?

Quickly register. It will only take 60 seconds.
Start a new topic. Ask your question. Wait for an email reply.
Is your system infected? Begin reading the malware removal guide.

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

[Closed] Am I Infected Again?, Infected Restore Point Warning and slow down

Options

Christopher_35 View Member Profile	Dec 14 2007, 07:59 PM Post #1
Authentic Member Group: Authentic Member Posts: 27 Joined: 16-February 05 Member No.: 25,618	I think I have it all covered then Wham! the blue wall of death appears (several times) and the system seems to be on a real go slow at times.+ warnings from AVG about Trojan Downloader in System Volume Information Restore Point. Here is my HJ/TH log if you could please help. Also AVG Event Log Thank you Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 02:15, on 2007-12-15 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\HP\HP Software Update\HPWuSchd.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\System32\HPZipm12.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe C:\PROGRA~1\INCRED~1\bin\IMApp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\Owner\Desktop\Utilities\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ntlworld.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe" O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (file missing) O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll (file missing) O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (file missing) O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll (file missing) O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe O9 - Extra button: Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: Show Trashcan - {072F3B8A-2DA2-40e2-B841-88899F240200} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - C:\WINDOWS\System32\shdocvw.dll (HKCU) O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/common/Member/ClientIn...6/OCI/setup.exe O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1151858104609 O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...398/mcfscan.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe -- End of file - 10367 bytes Have also sent you an event Log from AVG Free Addition as I keep getting pop ups warning me about an INFECTION in one of my restore points - <history> - <!-- 01c841a2775314a0 --> - <rec time="2007/12/18 18:19:02" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/18 18:26:27" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/18 19:26:44" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/18 19:29:56" user="SYSTEM" source="Update"> <value>@HL_UpdateOK</value> <attr name="version">iavi:1198-1197;</attr> </rec> - <rec time="2007/12/18 19:32:53" user="Owner" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_13</attr> </rec> - <rec time="2007/12/18 19:32:58" user="Owner" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_13</attr> <attr name="infectedfiles">0</attr> </rec> - <rec time="2007/12/18 19:33:09" user="Owner" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_13</attr> </rec> - <rec time="2007/12/18 19:33:10" user="Owner" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_13</attr> <attr name="infectedfiles">0</attr> </rec> - <rec time="2007/12/18 19:33:25" user="Owner" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_13</attr> </rec> - <rec time="2007/12/18 19:33:25" user="Owner" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_13</attr> <attr name="infectedfiles">0</attr> </rec> - <rec time="2007/12/18 20:05:20" user="Owner" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\ComboFix.txt.bat</attr> <attr name="finding">@Maskovaci_jmeno</attr> <attr name="virusname">.bat</attr> </rec> - <rec time="2007/12/18 21:29:49" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/18 22:41:07" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/18 22:53:40" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/18 23:20:59" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> - <rec time="2007/12/19 01:10:55" user="Owner" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_12</attr> </rec> - <rec time="2007/12/19 01:10:55" user="Owner" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_12</attr> <attr name="infectedfiles">0</attr> </rec> - <rec time="2007/12/19 01:29:33" user="Owner" source="General"> <value>@HL_TestStarted</value> <attr name="testname">@TestName_12</attr> </rec> - <rec time="2007/12/19 01:29:33" user="Owner" source="General"> <value>@HL_TestEnded</value> <attr name="testname">@TestName_12</attr> <attr name="infectedfiles">0</attr> </rec> - <rec time="2007/12/19 19:09:21" user="SYSTEM" source="Virus"> <value>@HL_ReportFindRS</value> <attr name="filename">C:\System Volume Information\_restore{96190446-8936-4027-8FC4-59B8E38CE747}\RP299\A0181483.exe</attr> <attr name="finding">@EID_Id_trj</attr> <attr name="virusname">Generic5.KJF</attr> </rec> </history> Hi there I do not want to seem pushy but I first posted this about 9 days ago and it seemed to be in danger of getting buried. So I thought I try to bring it back in view so to speak. Thanks for any help that you may be able to give me. This post has been edited by LDTate: Dec 24 2007, 06:06 AM

Posts in this topic

Christopher_35 [Closed] Am I Infected Again? Dec 14 2007, 07:59 PM

Christopher_35 Because this is over a month old I have supplied a... Jan 24 2008, 07:46 PM

LDTate Note: This will remove all previous Restore Points... Jan 25 2008, 05:07 PM

LDTate Due to inactivity this topic will be closed. If yo... Feb 9 2008, 04:09 PM

« Next Oldest · Infections Removal · Next Newest »

Topic Title	Replies	Topic Starter	Views	Last Action
Infections Removal am i infected?	0	heragoddess	0	29 minutes ago Last post by: heragoddess
Infections Removal [Closed] virus wont let me post!	3	clgray75	72	Yesterday, 10:19 AM Last post by: extremeboy
Infections Removal [Closed] Computer infected/browser problems	7	Helpless Oldie	164	19th March 2010 - 03:09 AM Last post by: CatByte
Infections Removal [Resolved] Infected with something	11	pacificjade	137	18th March 2010 - 05:00 PM Last post by: LDTate