Help with spyware or virus!

  1. 24-04-2008  #11
    priscilla125
    priscilla125 is offline Newbie

    Re: Help with spyware or virus!

    When I tried to install the trial version of AVG-anti spyware it said it couldn't install it-something about Windows! But I did get the SDFix log okay. I downloaded the free version of AVG anti virus-didn't know if you wanted me to do any thing with that or not.

    Here is logs of SDFix & a new Hijack this log: Thanks!


    SDFix: Version 1.173
    Run by Owner on Wed 04/23/2008 at 08:25 PM

    Microsoft Windows XP [Version 5.1.2600]
    Running From: C:\DOCUME~1\Owner\Desktop\SDFix

    Checking Services :


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting


    Checking Files :

    Trojan Files Found:

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
    C:\A.TMP - Deleted
    C:\JA.EXE - Deleted
    C:\SVCIPA.EXE - Deleted
    C:\DOCUME~1\Owner\LOCALS~1\Temp\wavvsnet.exe - Deleted
    C:\A.tmp - Deleted





    Removing Temp Files

    ADS Check :



    Final Check :

    catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-04-23 20:35:42
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    scanning hidden registry entries ...

    scanning hidden files ...

    C:\Program Files\Common Files\s hidden from API

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 1


    Remaining Services :




    Authorized Application Key Export:

    Remaining Files :


    File Backups: - C:\DOCUME~1\Owner\Desktop\SDFix\backups\backups.zi p

    Files with Hidden Attributes :

    Fri 13 Oct 2006 196 A.SHR --- "C:\BOOT.BAK"
    Tue 30 Jan 2007 15,495,424 A..H. --- "C:\Downloads\InstallFishTycoon.exe"
    Mon 18 Jun 2007 3,559,832 A..H. --- "C:\Downloads\vtp6.zip"
    Wed 30 Jan 2008 13,905,056 A..H. --- "C:\Downloads\software\Install_AIM.exe"
    Sun 15 Jul 2007 49,943,864 A..H. --- "C:\Downloads\software\iTunesSetup(3).exe"
    Wed 16 Apr 2008 23,344,432 A..H. --- "C:\Downloads\software\QuickTimeInstaller.exe"
    Wed 4 Aug 2004 0 A.SH. --- "C:\WINDOWS\SMINST\HPCD.SYS"
    Sat 5 Apr 2008 270,694 A..H. --- "C:\WINDOWS\system32\BIT3D.tmp"
    Thu 19 Apr 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
    Sun 20 Apr 2008 89,088 ..SHR --- "C:\Program Files\Common Files\s?curity\rundll32.exe"
    Fri 11 Apr 2008 230,400 ..SHR --- "C:\WINDOWS\system32\ąppPatch\m?config.exe"
    Sat 19 Apr 2008 169 A..H. --- "C:\Documents and Settings\Owner\Local Settings\Temp\Free Download Manager\tic13.tmp"
    Sat 19 Apr 2008 200 A..H. --- "C:\Documents and Settings\Owner\Local Settings\Temp\Free Download Manager\tic3.tmp"

    Finished!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:54:09 PM, on 4/23/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\System32\CSHelper.exe
    C:\Program Files\Spyware Terminator\sp_rsser.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\VTTimer.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\PROGRA~1\Crawler\Smileys\CSmileysIM.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Free Download Manager\fdm.exe
    C:\Program Files\Free Download Manager\fum\fum.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Free Download Manager\FUM\fumoei.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\?ppPatch\m?config.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
    C:\PROGRA~1\Crawler\Smileys\CSMILE~1.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7AD00A39-935F-4583-98C1-E8BF8DAC25B0} - C:\WINDOWS\System32\nnnmmllj.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\s wg.dll
    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
    O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [CSmileys] "C:\PROGRA~1\Crawler\Smileys\CSmileysIM.exe"
    O4 - HKLM\..\Run: [c4ec4abb] rundll32.exe "C:\WINDOWS\System32\ijxiqlof.dll",b
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Free Download Manager] "C:\Program Files\Free Download Manager\fdm.exe" -autorun
    O4 - HKCU\..\Run: [Free Upload Manager] "C:\Program Files\Free Download Manager\fum\fum.exe" -autorun
    O4 - HKCU\..\Run: [Free Uploader Oe Integration] C:\Program Files\Free Download Manager\FUM\fumoei.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [CSmileys] "C:\PROGRA~1\Crawler\Smileys\CSmileysIM.exe"
    O4 - HKCU\..\Run: [Notn] "C:\PROGRA~1\COMMON~1\SCURIT~1\rundll32.exe" -vt yazb
    O4 - HKCU\..\Run: [Hqsmbmyu] C:\WINDOWS\system32\?ppPatch\m?config.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin\core.hp.main\Sen dTo.html
    O8 - Extra context menu item: Crawler Search - tbr:iemenu
    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Crawler Smileys - {16FE352D-F643-4A81-BC61-2C051F3A757D} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
    O9 - Extra button: Crawler eCards - {82E2B317-7C9C-4F12-B920-AC37D928CD43} - C:\PROGRA~1\Crawler\Smileys\CSMILE~1.DLL
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\Program Files\Free Download Manager\FUM\fumiebtn.dll
    O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} - http://install.wildtangent.com/Activ...veLauncher.cab
    O16 - DPF: {97770E5B-2028-48AC-B4DA-1F991376D2B6} - http://download.copysafe.net/plugins...s/Copysafe.cab
    O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: CopySafe Helper Service (CSHelper) - Unknown owner - C:\WINDOWS\System32\CSHelper.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe (file missing)
    O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

    --
    End of file - 10438 bytes
  2. 25-04-2008  #12
    Neal
    Neal is offline Dedicated Member
    Save 20% on AVG Internet Security 2012 Suite!
    Still malware on your pc, Vundo trojan and purityscan/clickspring remains, let's break out the big guns now. Please follow directions very carefully as the next tool is very powerful and if used wrong can cause some problems.


    Familiarize yourself with this combofix tool.
    http://www.bleepingcomputer.com/comb...o-use-combofix

    ------------------------------------------------------------------------------------------------


    If you have previously downloaded ComboFix,please delete that version now.

    Now download ComboFix and save to your desktop:

    Note:

    It is IMPORTANT that it is saved directly to your desktop

    Close any open browsers.

    Disconnect from the Internet.

    Please do not re-connect your machine back to the Internet until Combofix has completely finished.

    Disable your antivirus program and any realtime malware scanners and script blockers now


    How To Disable



    Double click on combofix.exe and follow the prompts.

    When it's finished it will produce a log.
    Post the entire contents of C:\ComboFix.txt into your next reply.

    Note:
    Do not mouseclick combofix's window while it's running.

    That may cause the program to freeze/hang.

    Do NOT post the ComboFix-quarantined-files.txt unless I ask.

    Re-enable your anti-virus and re-connect back to the internet and post the combofix log.



    *Note*
    In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
    Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

    ComboFix SHOULD NOT be used unless requested by a forum helper.



    New hijackthis log please.
+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
« [RESOLVED] Buffer Overrun... | trojans and poppups(RESOLVED) »