lately my virus checker AVAST has been blocking several attempts by trojans and adware to further infect my system, but I believe they are a result of the first trojan that got on here ... whatever it is
when I started this mess AVAST was blocking things every few minutes
with names like VBSTAT-C (trojan)
BHO-BG (trojan)
and lots of random .dll's infected that my system tries to access.
I've done a boot scan with AVAST and it finds nothing else
Ad-Aware returns nothing
Spybot-Search and Destroy found somethings the first time I ran it 4 days ago such as smitfraud888 (I removed that with smitfraudfix) it doesn't appear to be on my system
then 2 days later I ran spybot again and removed
They are:
DoubleClick
FastClick
MediaPlex
ReliableStats
SystemDoctor2006
Winsoftware.WinAntiVirusPro2006
I stopped two things from starting up that I believed may have been a problem too. I deleted the entries for
vsnp2std.exe and tsnp2std.exe from the startup (using msconfig)
but that didn't seem to help much
I ran AVG Anti-Spyware
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 7:12:13 PM 1/03/2007
+ Scan result:
:mozilla.12:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Tom Beckingham\Cookies\tom@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
:mozilla.66:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.67:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.6:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.7:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.11:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.88:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.13:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Com : No action taken.
:mozilla.44:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.45:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.46:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.47:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.55:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.75:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.64:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.65:C:\Documents and Settings\Tom Beckingham\Application Data\Mozilla\Firefox\Profiles\dxwlngdk.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
::Report end
then I ran hijackthis (2 days ago) this is its log:
Logfile of HijackThis v1.99.1
Scan saved at 6:47:10 PM, on 1/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Diskeeper\DkService.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Aspire Arcade\PCMService.exe
C:\Program Files\CRW\shwicon.exe
C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
C:\WINDOWS\System32\ZCfgSvc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NewSoft\Presto! PVR\URemote.exe
C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\WINDOWS\FixCamera.exe
C:\WINDOWS\system32\ctfmon.exe
C:\shell\RocketDock\RocketDock.exe
C:\shell\rainlender2\Rainlendar2.exe
C:\shell\UberIcon\UberIcon Manager.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\shell\Rainmeter\Rainmeter.exe
C:\shell\Styler\Styler.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Program Files\hijackthis\HijackThis.exe
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\shell\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Aspire Arcade\PCMService.exe"
O4 - HKLM\..\Run: [ShowIcon_Chander_CRW Series Driver v1.17r019] "C:\Program Files\CRW\shwicon.exe" -
t"Chander\CRW Series Driver v1.17r019"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLCL32.EXE
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\System32\ZCfgSvc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [URemote] C:\Program Files\NewSoft\Presto! PVR\URemote.exe
O4 - HKLM\..\Run: [ChangeFilterMerit] C:\Program Files\NewSoft\Presto! PVR\ChangeFilterMerit.exe
O4 - HKLM\..\Run: [Presto! PVR Monitor] C:\Program Files\NewSoft\Presto! PVR\Monitor.exe
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [FixCamera] C:\WINDOWS\FixCamera.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\shell\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\shell\rainlender2\Rainlendar2.exe
O4 - HKCU\..\Run: [UberIcon] "C:\shell\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Rainmeter.lnk = C:\shell\Rainmeter\Rainmeter.exe
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free
Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free
Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free
Download Manager\dlpage.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download
Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11
\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - c:\Program Files\WIDCOMM\Bluetooth
Software\btsendto_ie_ctx.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....k/?LinkID=39204
O16 - DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} (Photosynth Class) -
http://media.labs.li.../Photosynth.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1
\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1
\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1
\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil
Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe"
/service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe"
/service (file missing)
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - c:\Program Files\WIDCOMM\Bluetooth
Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32
\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
---------------------------------------------------------------------------------------------------
a day after i ran bitdefender online scan and got some baddies
C:\VundoFix Backups\wvust.dll.bad
Infected with: MemScan:Trojan.Vundo.AF
C:\VundoFix Backups\wvust.dll.bad
Disinfection failed
C:\VundoFix Backups\wvust.dll.bad
Deleted
C:\WINDOWS\system32\vtspq.dll
Infected with: MemScan:Trojan.Vundo.AF
C:\WINDOWS\system32\vtspq.dll
Disinfection failed
C:\WINDOWS\system32\vtspq.dll
Deleted
C:\WINDOWS\system32\mljij.dll
Infected with: MemScan:Trojan.Vundo.AF
C:\WINDOWS\system32\mljij.dll
Disinfection failed
C:\WINDOWS\system32\mljij.dll
Deleted
C:\shell\apps\altab\VerCheck.exe
Infected with: Generic.Malware.dld!!.9BB4FCB4
C:\shell\apps\altab\VerCheck.exe
Disinfection failed
C:\shell\apps\altab\VerCheck.exe
Deleted
I noticed a wierd folder that wasn't there before C:\bintheredunthat
even after getting rid of all the viruses and trojans that were found, my computer is unusually sluggish especially when connected to the internet. I guess there's something still there
I used PC Tools Spyware Doctor and removed
VX2.Look2Me
EliteBar
Virtumonde
then after restarting the computer spyware Doctor detected both elitebar and vx2.look2me trying to load back in again... whats going on
Thanks for your help
Edited by nearlyasian, 02 March 2007 - 09:37 AM.