WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Please check my friend's HJT log

Started by Jeff H , Mar 08 2009 12:23 AM

This topic is locked

6 replies to this topic

#1 Jeff H

Authentic Member

Authentic Member
55 posts

Posted 08 March 2009 - 12:23 AM

My friend left her date alone with her computer for a few minutes, and next thing she knew PCCillin was telling her she had viruses (and he'd cleaned out her browsing history too). This is one of the reasons he only got one date (smart girl), but her AV program was out of date and wouldn't update without her paying for a license, so she gave it to me to try fixing. I ran MBAM and it cleaned out 18 problems; here is a current HJT log. Could someone look it over and tell me if there is any further cause for concern?

I plan on installing some other AV program, most likely freeware, while I await replies.

Thanks in advance.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:15:51 AM, on 3/8/2009
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\wermgr.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.gametop...tm_medium=start
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] c:\dell\dsca.exe 3
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Universal Installer] "C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe" /fromrun /starthidden
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\Windows\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Jumpstart Wifi Protected Setup (jswpsapi) - Atheros Communications, Inc. - C:\Program Files\Belkin\F5D7010v8\jswpsapi.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10326 bytes

======================EDIT=======================

I installed Avira and did a full scan; here is the log. (Short version: it found stuff.)

Avira AntiVir Personal
Report file date: Sunday, March 08, 2009 00:33

Scanning for 1288155 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows Vista
Windows version: (plain) [6.0.6000]
Boot mode: Normally booted
Username: SYSTEM
Computer name: PC

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 11/18/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 11/18/2008 15:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 14:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 19:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 14:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36
ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 06:32:09
ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 06:32:13
ANTIVIR3.VDF : 7.1.2.135 157696 Bytes 3/7/2009 06:32:16
Engineversion : 8.2.0.105
AEVDF.DLL : 8.1.1.0 106868 Bytes 3/8/2009 06:32:34
AESCRIPT.DLL : 8.1.1.57 356729 Bytes 3/8/2009 06:32:33
AESCN.DLL : 8.1.1.8 127346 Bytes 3/8/2009 06:32:31
AERDL.DLL : 8.1.1.3 438645 Bytes 11/4/2008 20:58:38
AEPACK.DLL : 8.1.3.10 397686 Bytes 3/8/2009 06:32:30
AEOFFICE.DLL : 8.1.0.36 196987 Bytes 3/8/2009 06:32:28
AEHEUR.DLL : 8.1.0.104 1634679 Bytes 3/8/2009 06:32:26
AEHELP.DLL : 8.1.2.2 119158 Bytes 3/8/2009 06:32:20
AEGEN.DLL : 8.1.1.25 336243 Bytes 3/8/2009 06:32:19
AEEMU.DLL : 8.1.0.9 393588 Bytes 10/14/2008 17:05:56
AECORE.DLL : 8.1.6.6 176501 Bytes 3/8/2009 06:32:18
AEBB.DLL : 8.1.0.3 53618 Bytes 10/14/2008 17:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 15:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 16:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 7/31/2008 19:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 18:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 19:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 19:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 20:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 20:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, March 08, 2009 00:33

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'VSSVC.exe' - '1' Module(s) have been scanned
Scan process 'notepad.exe' - '1' Module(s) have been scanned
Scan process 'HijackThis.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'wlanext.exe' - '1' Module(s) have been scanned
Scan process 'dwm.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'ApntEx.exe' - '1' Module(s) have been scanned
Scan process 'hidfind.exe' - '1' Module(s) have been scanned
Scan process 'ehmsas.exe' - '1' Module(s) have been scanned
Scan process 'DLG.exe' - '1' Module(s) have been scanned
Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
Scan process 'uinstaller.exe' - '1' Module(s) have been scanned
Scan process 'wmpnscfg.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'ehtray.exe' - '1' Module(s) have been scanned
Scan process 'DSAgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'ApMsgFwd.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd2.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'PCMService.exe' - '1' Module(s) have been scanned
Scan process 'issch.exe' - '1' Module(s) have been scanned
Scan process 'DellWMgr.exe' - '1' Module(s) have been scanned
Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
Scan process 'VolPanlu.exe' - '1' Module(s) have been scanned
Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'sttray.exe' - '1' Module(s) have been scanned
Scan process 'OEM02Mon.exe' - '1' Module(s) have been scanned
Scan process 'Apoint.exe' - '1' Module(s) have been scanned
Scan process 'MSASCui.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'taskeng.exe' - '1' Module(s) have been scanned
Scan process 'XAudio.exe' - '1' Module(s) have been scanned
Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'stacsv.exe' - '1' Module(s) have been scanned
Scan process 'RoxWatch9.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'CTSVCCDA.EXE' - '1' Module(s) have been scanned
Scan process 'CreativeLicensing.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'AEstSrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SLsvc.exe' - '1' Module(s) have been scanned
Scan process 'audiodg.exe' - '0' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'lsm.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'wininit.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
81 processes with 81 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '56' files ).

Starting the file scan:

Begin scan in 'C:\' <OS>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Users\Lauren\AppData\Local\Temp\tmp9701.tmp
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '4a2369f8.qua'!
C:\Users\Lauren\Downloads\demoextra.exe
[0] Archive type: NSIS
--> ProgramFilesDir/matrix33400.exe
[DETECTION] Is the TR/Dropper.Gen Trojan
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was deleted!
C:\Windows\Temp\301268539.tmp
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49e46c73.qua'!
C:\Windows\Temp\301270489.tmp
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49e46c76.qua'!
Begin scan in 'D:\' <RECOVERY>
D:\RECYCLER\S-3-6-23-100022746-100025067-100008143-4653.com
[DETECTION] Is the TR/Dropper.Gen Trojan
[NOTE] The file was moved to '49e66e3f.qua'!

End of the scan: Sunday, March 08, 2009 01:06
Used time: 32:50 Minute(s)

The scan has been done completely.

19134 Scanning directories
309666 Files were scanned
6 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
1 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
309659 Files not concerned
1616 Archives were scanned
1 Warnings
5 Notes

Edited by Jeff H, 08 March 2009 - 01:19 AM.

Advertisements

Register to Remove

#2 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 09 March 2009 - 08:01 AM

Hi,

Its not looking too bad, but let's have a deeper look:

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done two logs should open:
DDS.txt
Attach.txt

Save both reports to your desktop.

---------------------------------------------------

Post the contents of the DDS.txt report in your next reply
Attach the Attach.txt report to your post by scrolling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and then click UPLOAD.

Thanks.

Proud Graduate of the TC/WTT Classroom

At weekends (GMT) I may not be able to reply promptly due to various commitments. Please be patient and I will respond as soon as I can.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here

Need help remembering those important computer maintenance tasks? Let SCars do it for you.

Posted Image

#3 Jeff H

Authentic Member

Authentic Member
55 posts

Posted 09 March 2009 - 11:05 AM

DDS itself said to zip the attach.txt file, but since you specified just the .txt file I have sent precisely that; I hope that's okay. WIndows Update also popped up saying she didn't have SP1 installed (this may be due to something else I forgot to mention, some seriously overzealous firewall settings that I changed to something saner). So, this machine will be occupied installing that for probably an hour or two. DDS (Ver_09-02-01.01) - NTFSx86 Run by Lauren at 11:56:18.35 on Mon 03/09/2009 Internet Explorer: 7.0.6000.16809 Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2037.904 [GMT -5:00] AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) ============== Running Processes =============== C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Windows\system32\svchost.exe -k NetworkService C:\Windows\System32\spoolsv.exe C:\Windows\system32\WLANExt.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\aestsrv.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe C:\Windows\system32\CTsvcCDA.exe C:\Windows\system32\svchost.exe -k hpdevmgmt C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\System32\svchost.exe -k HPZ12 C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe C:\Windows\system32\STacSV.exe C:\Windows\system32\svchost.exe -k imgsvc C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\DellTPad\Apoint.exe C:\Windows\OEM02Mon.exe C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe C:\Windows\system32\igfxsrvc.exe C:\Windows\System32\igfxpers.exe C:\Program Files\DellTPad\ApMsgFwd.exe C:\Program Files\DellTPad\Apntex.exe C:\Program Files\Creative\SBAudigy\Volume Panel\VolPanlu.exe C:\Program Files\DellTPad\HidFind.exe C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Dell\MediaDirect\PCMService.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe C:\Program Files\DellSupport\DSAgnt.exe C:\Windows\ehome\ehtray.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\ComcastUI\Universal Installer\uinstaller.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Windows\ehome\ehmsas.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\iPod\bin\iPodService.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wuauclt.exe C:\Windows\servicing\TrustedInstaller.exe C:\Windows\system32\vssvc.exe C:\Windows\System32\svchost.exe -k swprv C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Windows\explorer.exe C:\Windows\system32\wuauclt.exe C:\Windows\SoftwareDistribution\Download\Install\SpcLiteGFX.exe C:\c5784a4f9bbf6bc3c7788a7507e7\spclite.exe \\?\C:\Windows\system32\wbem\WMIADAP.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Users\Lauren\Desktop\dds.scr ============== Pseudo HJT Report =============== uWindow Title = Internet Explorer provided by Dell uStart Page = hxxp://start.gametop.com/?utm_source=MarioForever&utm_medium=start mStart Page = hxxp://www.yahoo.com/ mDefault_Page_URL = hxxp://www.yahoo.com/ mDefault_Search_URL = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com mSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html uInternet Settings,ProxyOverride = *.local BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll BHO: NoExplorer - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0\bin\ssv.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe uRun: [Universal Installer] "c:\program files\comcastui\universal installer\uinstaller.exe" /fromrun /starthidden uRun: [Yahoo! Pager] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide mRun: [ECenter] c:\dell\e-center\EULALauncher.exe mRun: [Apoint] c:\program files\delltpad\Apoint.exe mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe mRun: [IgfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [VolPanel] "c:\program files\creative\sbaudigy\volume panel\VolPanlu.exe" /r mRun: [UpdReg] c:\windows\UpdReg.EXE mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start mRun: [<NO NAME>] mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe" mRun: [dscactivate] c:\dell\dsca.exe 3 mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe" mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe mPolicies-system: EnableLUA = 0 (0x0) IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0\bin\npjpi160.dll IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll ================= FIREFOX =================== FF - ProfilePath - c:\users\lauren\appdata\roaming\mozilla\firefox\profiles\aw4unihv.default\ FF - component: c:\program files\mozilla firefox\components\iamfamous.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava11.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava12.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava13.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava14.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjava32.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npjpi160.dll FF - plugin: c:\program files\java\jre1.6.0\bin\npoji610.dll ============= SERVICES / DRIVERS =============== R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2007-11-26 73728] R3 JSWSCIMD;jswscimd Service;c:\windows\system32\drivers\jswscimd.sys [2008-9-17 57344] R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2007-11-26 235520] R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2007-11-26 7424] S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-11-26 29744] S3 jswpsapi;Jumpstart Wifi Protected Setup;c:\program files\belkin\f5d7010v8\jswpsapi.exe [2007-10-29 352338] =============== Created Last 30 ================ 2009-03-09 11:54 <DIR> --d----- C:\c5784a4f9bbf6bc3c7788a7507e7 2009-03-08 01:30 <DIR> --d----- c:\programdata\Avira 2009-03-08 01:30 <DIR> --d----- c:\program files\Avira 2009-03-08 01:30 <DIR> --d----- c:\progra~2\Avira 2009-03-08 00:52 <DIR> --d----- c:\users\lauren\appdata\roaming\Malwarebytes 2009-03-08 00:52 15,504 a------- c:\windows\system32\drivers\mbam.sys 2009-03-08 00:52 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-03-08 00:52 <DIR> --d----- c:\programdata\Malwarebytes 2009-03-08 00:52 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-03-08 00:52 <DIR> --d----- c:\progra~2\Malwarebytes 2009-03-07 20:44 334,155,807 a------- c:\windows\MEMORY.DMP 2009-02-10 18:00 4 a------- c:\windows\system32\gaopdxcounter ==================== Find3M ==================== 2009-03-08 01:11 86,016 a------- c:\windows\inf\infstrng.dat 2009-03-08 01:11 86,016 a------- c:\windows\inf\infstor.dat 2009-03-08 01:11 51,200 a------- c:\windows\inf\infpub.dat 2009-01-14 23:16 826,368 a------- c:\windows\system32\wininet.dll 2009-01-14 23:16 56,320 a------- c:\windows\system32\iesetup.dll 2009-01-14 23:16 52,736 a------- c:\windows\apppatch\iebrshim.dll 2009-01-14 23:15 26,624 a------- c:\windows\system32\ieUnatt.exe 2008-12-13 04:18 174 a--sh--- c:\program files\desktop.ini 2008-06-15 03:11 665,600 a------- c:\windows\inf\drvindex.dat 2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat 2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat 2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat 2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat 2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat 2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat 2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat 2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat 2007-11-26 09:39 76 ---shr-- c:\windows\CT4CET.bin 2008-04-13 09:56 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat 2008-04-13 09:56 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 2008-04-13 09:56 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat 2007-11-26 17:15 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT ============= FINISH: 11:57:58.98 ===============

Attached Files

Attach.txt 5.53KB 350 downloads

Edited by Jeff H, 09 March 2009 - 11:06 AM.

#4 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 09 March 2009 - 01:37 PM

Hi,

Delete this file:
c:\windows\system32\gaopdxcounter

Other than that, the log looks good. Are you having any more problems with this machine or is it running smoothly now?

Thanks.

Proud Graduate of the TC/WTT Classroom

#5 Jeff H

Authentic Member

Authentic Member
55 posts

Posted 09 March 2009 - 02:56 PM

No problems that aren't just expected consequences of the fact that it runs so much unnecessary junk on startup. But I don't need help dealing with that :-). Thanks a lot for your trouble. It's good to know I had the situation pretty much in hand but it is always worthwhile to get a second opinion from someone formally trained in this stuff, as opposed to my random what-I've-picked-up-here-and-there knowledge of malware.

Edited by Jeff H, 09 March 2009 - 02:58 PM.

#6 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 09 March 2009 - 03:18 PM

Looks like you did a pretty good job :thumbup:

Proud Graduate of the TC/WTT Classroom

#7 jpshortstuff

Teacher Emeritus

Authentic Member
5,710 posts

Posted 14 March 2009 - 01:12 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Proud Graduate of the TC/WTT Classroom

Body Background

skin color theme