UKPunk Posted April 27, 2011 Posted April 27, 2011 Hi Tarun, can you check out my log for me please? Many thanks. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 13:26:33, on 27/04/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Program Files\Inventel\Gateway\wlancfg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Firetrust\Benign\B9.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\HDD Health\hddhealth.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpCtr.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpHost.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O1 - Hosts: 127.98.9.1 pop.orangehome.co.uk.b9 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll O2 - BHO: Z-opti Browser Enhancer - {C348BB9A-995C-404A-8185-76325B4BED9F} - C:\WINDOWS\$XNTUninstall643$\mbdwt.dll O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O2 - BHO: Context-Ads Browser Enhancer - {F96A7C1E-38CA-4F0A-9D2D-A42C226BCDC8} - C:\WINDOWS\$XNTUninstall643$\xgoir.dll O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O3 - Toolbar: LimeWire Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [bipro] rundll32 "C:\WINDOWS\$XNTUninstall643$\mbdwt.dll",,Run O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize (User '?') O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Google Update Service (gupdate1ca3831c6c24e7a) (gupdate1ca3831c6c24e7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe O24 - Desktop Component 0: (no name) - -- End of file - 7958 bytes
Administrator Tarun Posted April 27, 2011 Administrator Posted April 27, 2011 Your log looks clean, though I see a few things that are out of date such as Avast, Adobe Reader, and Internet Explorer. I would definitely recommend uninstalling any/all toolbars, as I see Ask, Limewire and Wanadoo toolbars. This line can also be removed safely: O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) Are you experiencing any symptoms of infection or is this simply a routine checkup? :)
UKPunk Posted April 30, 2011 Author Posted April 30, 2011 Hi Tarun, I'm pretty sure I've got something because when I click on links in Google I sometimes get taken to a different website, usually another search engine. Also, I keep getting a message about my system being under attack and occasionally my firewall gets turned off. Any ideas? Dave
Administrator Tarun Posted May 1, 2011 Administrator Posted May 1, 2011 I do believe I've spotted the infection. I apologize for overlooking it. O4 - HKLM\..\Run: [bipro] rundll32 "C:\WINDOWS\$XNTUninstall643$\mbdwt.dll",,Run I'd run Malwarebytes Anti-Malware and see if it picks the file up. Also, not sure if you still need this or want to keep it, but it hasn't been updated since 2006: O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize
UKPunk Posted May 1, 2011 Author Posted May 1, 2011 Hi Tarun, Thanks for the reply. I'll get onto that today. Incidentally, I had awful problems with the PC this morning. Something called "XP Total Security 2011 - Unregistered Version" was insisting I had all these infections and kept throwing up warnings in the taskbar like "Stealth intrusion!, Tracking software found!, Threat detected!" among others. It also appeared to turn off Windows Firewall and Avast. I ignored this and ran Avast in safe mode. It found 1 infection. Here are the details. File Name C:\Documents and Settings\All Users\Application Data\84DBKnD6.exe Severity High Status Threat:Win32:Trojan-gen When I tried to navigate to the file there was nothing there. I'm hoping Avast has removed it. After that I ran Malwarebytes and it found 15 problems with it removed. Despite this however I've still got something redirecting my search queries as when I tried to come to Luarsoft it took me to an e-bay page! After I've removed the entry you've pointed out should I run everything again and send you another HijackThis log? Also, although it doesn't say so on the Wiki, should I be running all my checks in safemode? Finally, you mention getting rid of the Limewire and Yahoo toolbars. How do I do this and where do I go in the registry to delete the appropriate entries? Thanks very much for your advice and patience. Dave
Administrator Tarun Posted May 1, 2011 Administrator Posted May 1, 2011 Malwarebytes Anti-Malware should be able to remove XP Total Security 2011 just fine. If you don't mind, please post your Malwarebytes log. You may wish to run all the scanners again in Full Scan instead of Quick/Fast. And safe mode is not necessary. One key reason for this is that Malwarebytes Anti-Malware is more powerful in normal mode than safe mode. As for getting rid of the toolbars, I'd recommend checking Add/Remove Programs first and see if you can simply run an uninstall. From there we can remove them from HijackThis during the cleanup phase.
UKPunk Posted May 3, 2011 Author Posted May 3, 2011 Hi Tarun, I've followed your instructions and below is my HijackThis log and also the Malwarebytes log. Just a couple of other things. Spybot keeps finding "Click.GiftLoad" despite repeated deletions and I'm wondering whether it's loading on startup? Also, after I scanned with Malwarebytes I clicked for my PC to restart and it hung so I had to restart it manually. After scanning with Avast it advised that I let it check the system on boot-scan which I did and it found this: File C:\Documents and Settings\Network Service\Application Data\Sun\Java\Deployment\cache\6.0\44\2e038c6c-6979ccd1>google\bingo.class is infected by Java:agent-GI[Exp¬] I deleted that and further items that all had the reference "agent-G" followed by the letters I, J, M and N (I think). Finally, the light on the tower that shows hard drive activity flashes at regular intervals roughly 1 second apart, even when there appears to be no HDD activity taking place. I've not noticed this before and wondered whether it's something nasty on the system. Anyway, here are those logs and thanks again for your help. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 23:07:59, on 03/05/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\Program Files\Inventel\Gateway\wlancfg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Firetrust\Benign\B9.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\HDD Health\hddhealth.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O1 - Hosts: 127.98.9.1 pop.orangehome.co.uk.b9 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\RunOnce: [spybotDeletingA2670] command.com /c del "C:\WINDOWS\SchedLgU.Txt" O4 - HKLM\..\RunOnce: [spybotDeletingC768] cmd.exe /c del "C:\WINDOWS\SchedLgU.Txt" O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize (User '?') O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Google Update Service (gupdate1ca3831c6c24e7a) (gupdate1ca3831c6c24e7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe O24 - Desktop Component 0: (no name) - -- End of file - 7489 bytes Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6500 Windows 5.1.2600 Service Pack 3 Internet Explorer 7.0.5730.13 03/05/2011 19:10:17 mbam-log-2011-05-03 (19-10-17).txt Scan type: Full scan (C:\|) Objects scanned: 220936 Time elapsed: 1 hour(s), 19 minute(s), 23 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\system volume information\_restore{75493eb3-c852-41b6-b8a8-f3c98fbd0121}\rp1218\a0279006.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\system volume information\_restore{75493eb3-c852-41b6-b8a8-f3c98fbd0121}\rp1220\a0285030.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\windows\system32\memzpack.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\8pabk5u7\nbc[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\8pabk5u7\nbg[1].exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Administrator Tarun Posted May 3, 2011 Administrator Posted May 3, 2011 I see some that are found are in your System Restore. You can easily remove them by making a new System Restore point and naming it (Something like Cleaning up) and then using the Disk Cleanup to remove all but the latest one. You may also want to run CCleaner once more and do quick scans. Are there still symptoms present?
UKPunk Posted May 10, 2011 Author Posted May 10, 2011 Hi Tarun, Sorry it’s taken so long to get back to you (work etc.). We’re still experiencing a browser hijack along with problems on start up/shut down so I did another lot of scans today and took some notes along the way. First off I started the PC but it only got as far as our screensaver then stalled. At this point there were no icons on the screen. I pressed the restart button and start up got as far as the screensaver with icons before seeming to stall again. After 5:05 minutes the start up continued and seemed to load normally. Then a balloon appeared with this message: Your computer might be at risk. Automatic Updates is turned off. Click this balloon to fix this problem. I clicked the balloon and the Security Centre screen appeared showing Automatic Updates as off. But when I clicked “Turn on Automatic Updates†a box appeared with this message: “We’re sorry. The Security Centre could not change your Automatic Updates settings. To try changing these settings yourself, go to System in Control Panel. On the Automatic Upfates tab select Automatic (recommended), and then click ok.†So I followed these instructions but when I got to System Properties it said that Automatic Updates are switched on. After this I began the scans as per your Wiki instructions. After running Spywareblaster I did a full scan with Avast and it found a virus. These are the details. MBR:\\.\PHYSICALDRIVE0 Threat:Rootkit:hidden boot-sector I deleted this. On reboot I experienced the same 5 minute delay on start up. A full scan with Malewarebytes revealed nothing but a full scan with SuperAntiSpyware revealed some problems. Here are the details: System.BrokenFileAssociation (2) HKCR\.exe HKCR\exefile\shell\open\command Trojan.Agent/Gen-Nullo(short) (1) C:\SYSTEM_VOLUME_INFORMATION\_RESTORE {75493EB3-C852-41B6-B8A8-F3C98FBD0121}\RP1222\A0313358.EXE I deleted these and when prompted I rebooted. This time everything loaded in 1:44 minutes. Next I clicked to start Spybot but while it was loading this message came up: To help protect your computer, Windows has closed this program. Name Generic Host Process for Win32 Services. I closed the message and Spybot continued to load and immediately detected Click.GiftLoad again! Other problems surfaced as well. (I have the whole Spybot log but it's very long and when I tried to post it I was told to shorten the post so I've just posted the bit that seems to highlight the problems.) --- Search result list --- Click.GiftLoad: [sBI $89783858] User settings (Registry value, nothing done) HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe Fraud.InternetSecurity2011: [sBI $E57DC831] User settings (Registry value, nothing done) HKEY_USERS\.DEFAULT\Software\Classes\.exe\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*... Fraud.InternetSecurity2011: [sBI $E57DC831] User settings (Registry value, nothing done) HKEY_USERS\S-1-5-18\Software\Classes\.exe\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*... Fraud.InternetSecurity2011: [sBI $8D38ECE3] User settings (Registry value, nothing done) HKEY_USERS\.DEFAULT\Software\Classes\exefile\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*... Fraud.InternetSecurity2011: [sBI $8D38ECE3] User settings (Registry value, nothing done) HKEY_USERS\S-1-5-18\Software\Classes\exefile\shell\open\command\=..."C:\Documents and Settings\NetworkService\Local Settings\Application Data\ptb.exe" -a "%1" %*... Fraud.InternetSecurity2011: [sBI $9CCE589D] User settings (Registry change, nothing done) HKEY_USERS\.DEFAULT\Software\Classes\.exe\shell\open\command\ Fraud.InternetSecurity2011: [sBI $9CCE589D] User settings (Registry change, nothing done) HKEY_USERS\S-1-5-18\Software\Classes\.exe\shell\open\command\ Fraud.InternetSecurity2011: [sBI $F153D38E] User settings (Registry change, nothing done) HKEY_USERS\.DEFAULT\Software\Classes\exefile\shell\open\command\ Fraud.InternetSecurity2011: [sBI $F153D38E] User settings (Registry change, nothing done) HKEY_USERS\S-1-5-18\Software\Classes\exefile\shell\open\command\ Fraud.InternetSecurity2011: [sBI $8D9E5DA2] User settings (Registry value, nothing done) HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe Fraud.InternetSecurity2011: [sBI $5AEDDF0A] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications Fraud.InternetSecurity2011: [sBI $758FB1E3] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions Fraud.InternetSecurity2011: [sBI $CDC1B6A2] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall Fraud.InternetSecurity2011: [sBI $76913945] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications Fraud.InternetSecurity2011: [sBI $F16F6CE5] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications Fraud.InternetSecurity2011: [sBI $DE0D020C] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions Fraud.InternetSecurity2011: [sBI $6D4031BB] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall Fraud.InternetSecurity2011: [sBI $FD1F9FD2] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications Fraud.InternetSecurity2011: [sBI $9EDDC71B] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride Fraud.InternetSecurity2011: [sBI $EE344D69] Settings (Registry change, nothing done) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride Common Dialogs: History (2 files) (Registry key, nothing done) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU Log: Activity: SchedLgU.Txt (Backup file, nothing done) C:\WINDOWS\SchedLgU.Txt Log: Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done) C:\WINDOWS\System32\wbem\logs\wbemess.log When I clicked to fix the problems an X appeared next to the Fraud.InternetSecurity2011 problem and this message was displayed: Some problems could not be fixed; the reason could be that the associated files are still in use (in memory). This could be fixed after a restart. May Spybot-S&&D run on your next system startup? (n.b. The two &&’s are not a typo, that’s how it appeared in the message.) I clicked yes for the PC to restart but the “Ending program…Please wait†box appeared followed by the “This program is not responding…†I tried again with the same result so I pressed the restart button. On restart Spybot automatically scanned the system again. No threats were found but there were no icons on the screen for a couple of minutes and when they appeared the bar at the bottom of the screen was grey instead of blue. So I restarted the computer and it loaded to the point where our screensaver was up but there were no icons on the screen. I left it for ten minutes then restarted the PC manually and it loaded in 1:33 minutes. I then created a restore point before scanning with HijackThis. Here is the log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 14:10:06, on 10/05/2011 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.5730.0013) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Alwil Software\Avast5\AvastSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Kontiki\KService.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe C:\WINDOWS\system32\VTTimer.exe C:\Program Files\Alwil Software\Avast5\avastUI.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Firetrust\Benign\B9.exe C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe C:\Program Files\HDD Health\hddhealth.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Inventel\Gateway\wlancfg.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843 O1 - Hosts: 127.98.9.1 pop.orangehome.co.uk.b9 O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini" O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKCU\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?') O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [b9] "C:\Program Files\Firetrust\Benign\B9.exe" /minimize (User '?') O4 - HKUS\S-1-5-21-1292428093-1085031214-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User '?') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user') O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: Google Update Service (gupdate1ca3831c6c24e7a) (gupdate1ca3831c6c24e7a) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Start BT in service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\StartSkysolSvc.exe O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Unknown owner - C:\Program Files\Inventel\Gateway\wlancfg.exe O24 - Desktop Component 0: (no name) - -- End of file - 7314 bytes I should also point out that I sometimes have to double click 4 or 5 times before my browser loads. Two more things: How do I get rid of all my restore points except the most recent one? And how do I remove items from the Startup list in System Configuration Utility? Thanks again for your help Tarun.
Administrator Tarun Posted May 10, 2011 Administrator Posted May 10, 2011 Running Kaspersky's TDSSKiller may be helpful as well as G-Data's FakeAV remover. Go to Start - All Programs - Accessories - System Tools System Restore. Click Create a restore point, and then click Next. Name it whatever you like and create. To remove Startup items, you can use CCleaner, Autoruns, HiJackThis, and of course the MSConfig utility. MSConfig is very easy, you simply uncheck items you do not want to run at startup.
UKPunk Posted May 16, 2011 Author Posted May 16, 2011 Hi Tarun, It looks like that last load of scans I did has done the trick so thanks very much for your help. One last thing, I'd already unchecked Limewire in msconfig. What I was asking was whether it is possible to completely remove the entry as I thought I'd removed all traces of the program so was surprised to still see it sitting there. Thanks again, Dave
Administrator Tarun Posted May 16, 2011 Administrator Posted May 16, 2011 If you recheck it through MSconfig you can remove it using HijackThis or (the one I prefer to use: ) Autoruns.
Administrator Tarun Posted May 20, 2011 Administrator Posted May 20, 2011 The issue this thread has been opened for has been resolved.If you need continued support, please start a new thread and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: PC CleanupIt is recommended that you review our PC Security wiki page to help secure your computer and protect it.
Recommended Posts