Trojan Downloader on XP...Mega Problems

[tberg224]

Hi.
I wanted to know if anybody could help with a major computer problem...so I can avoid having to take my computer into a shop and likely reformat.

Here's the deal.
I have a THREE year old Dell Inspiron 5150 labtop.  I have windows XP and connect to the internet at my house wirelessly via Verizon DSL.

I occasionally download music but only from ISOHUNT and BITLOAD torrents, and not frequently.
A couple of days ago, I was just browing the internet.
Suddenly the computer became very slow.
This was followed by my computer downloading two programs onto the desktop
-Windows anti-spyware
-Outer limits

I never approved nor asked for these to be downloaded, yet it did so anyway; after which claiming I had countless viruses, trojan downloaders, and tracking cookie spyware.

I went on to my various safeguards
-Ad ware
-Spybot search and destroy
-Ewido
 and ran scans, which deteched trojan dowloaders, traching cookies, and spyware.  I quarentined or deleted all of them two days ago.

Today when I went back on my computer I was prompted with a message from symnatic anti virus that my computer had again been infected with a trojan downloader.
On my programs I noticed outer limits had again been installed...without my permission.
I unstalled, ran new spyware.
It found infections, 98, and deleted.

I ran symnatic anti virus, came back fine.

Then just a few minutes ago trouble struck.
I was greeted by symnatec antivirus with a warning that trojan downloaders again were on the computer...and at once my computer began downloading windows anti-spwyare and outer limits without my permission.

I went to synamtic and checked the history, all but two of the virsuses were deleted, those two being

is67678[1].exe
Trojan.Dropper
Infected
Clean virus from file
Quarantine infected file


wr-1-2000219[1].exe
Downloader
Infected
Clean virus from file
Quarantine infected file


When I tried to delete them I was prompted being told

Symnatic Antivirus cannot perfom action due to

Possible cause
The files are moved or deleted
The computer they are located on is turned off
You are trying to clean files located in an email message
You are trying to clean a compressed file


I'd like to know if any of you know
1)  What the problem is.  What I can do to resolve.

2)  The prevention measures I could take.


In the event this needs to be taken into a shop and reformatted, I'd like to know if there is anyway I can save all my documents/pictures/progams/desktop and browser settings/favorites so I am not left with a week
's worth of resetting.

Thanks again.

[Crono]

I'm no expert but this is how the experts would start you off

Go on to googe search hijackthis

Then go on the first website download hijackthis

Run the program then show us the log don't delete anything with this program it is very powerful and could mess up your laptop

Here's a start

[CBMatt]

To save you some time, here is the link to HijackThis: http://merijn.org/files/HijackThis.exe


Before running it, update all of your protection programs and then scan with them in Safe Mode.  Afterwards, restart your computer.  Then you can go ahead and scan with HijackThis and post the log here.  Many of the things in the log are safe and even necessary, so don't make any changes until instructed to do so.


I'm moving this thread to the Viruses And Spyware forum.

[tberg224]

1)  Thanks.
2)  Ran various scans which came up with more stuff
3)  Did the hijack, results below
4)  How do you get into safe mode
5)  What do I do now, and if I must reformat (UGH) how can I save everything?



Here are the results......


Logfile of HijackThis v1.99.1
Scan saved at 1:41:38 AM, on 7/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1154149194\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Trent Berger\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dell.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154149194\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320 161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[CBMatt]

Don't worry...you've got a few nasties, but you should be able to avoid reformatting.  Just give me a couple of minutes and I'll have some instructions for you.

For info on booting into Safe Mode...
http://www.computerhope.com/issues/chsafe.htm

[CBMatt]

Download CCleaner (install without Yahoo! toolbar) and configure it according to this guide.

Then download AVG Anti-Spyware and update it.  Don't scan with it yet.

Let's first take a look at your log...  Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BBF72815358B2B27128065E9C084320 161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe

O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following (if present)...

Outerinfo
WinPop

Please note any other programs that you dont recognize in that list in your next response.

Navigate to and delete the following folder(s) if present...

C:\Program Files\Outerinfo
C:\Program Files\WinPop

Navigate to and delete the following file(s) if present...

C:\WINDOWS\retadpu77.exe

Now, scan with AVG and let it clean whatever it wants.  Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up.  Let me know how everything's running now and if you had any problems following my steps.

[tberg224]

First I want to say thanks so much for your time, helpfulness, I really appreciate it sincerely.

Second, last week I already downloaded AVG-anti spyware, have scanned it already on my computer many times.
Before I follow your steps, does this change anything?

[CBMatt]

Ah, yes...silly me, I see AVG AS in your log.  Don't install it again.  But you should, however, still update it and try scanning again.  You may also want to give AVG Anti-Virus a try.  It's a bit tedious, I know, but it's best to be thorough.  Follow the rest of my instructions as they are laid out in my previous post.

[tberg224]

Alright, here is the status

1)  Downloaded and ran CC, then configured according to guide
2)  Already had anti-spyware
3)  Ran Hijack this, I selected "fix checked problems" to all the ones you stated EXCEPT

-O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu77.exe 61A847B5BB)  F72815358B2B27128065E9C084320 161C4661227A755E9C2933154389A
-O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe

Both of these problems did not show up in the scan.

4)  Rebooted into safe mode, enabled hidden files
5)  Went to start, settings
-Outerinfo NOT present
-Winpop present and removed

6)  I did not know how to naviagte and delete
C:\Program Files\Outerinfo
C:\Program Files\WinPop
C:\WINDOWS\retadpu77.exe

Instead I went to search
-All of C drive
-Typed in Outerinfo, it appeared and was deleted
-Typed in Winpop, it appeared and was deleted
-Typed in retadpu77, it did not appear

7)  Scanned with AVG anti-spyware, clean
  Restarted in normal, did hijack this, results posted



Questions
1)  Did I do this correct?
-I did some browsing once in safe mode and before the last hijack this, could that have changed things again?

2)  Is this CPU safe and if not resolutions?
-The CPU is running much better but could still be somewhat improved

3)  In the future what can I do to detect and prevent this from occuring, if we are out of the woods?
-In terms of deleting cookies, files, folders
-Spyware
     deteching, deleting, and avoiding
-Viruses
     detching, deleting, and avoiding







Logfile of HijackThis v1.99.1
Scan saved at 1:33:50 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1154149194\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Trent Berger\Desktop\HijackThis(2).exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dell.com/
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1154149194\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Unknown owner - C:\WINDOWS\system32\drivers\KodakCCS.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

[tberg224]

Alright, in addition I just ran my spyware programs

1)  Ad aware 2007

Infections Found
Family Id Name Category TAI
9999 MRU Object MRU Object 0
[1] MRU Path: C:\Documents and Settings\Trent Berger\Recent Count: 1
[2] MRU Registry Key: S-1-5-21-484763869-630328440-725345543-1003\Software\Microsoft\Search Assistant\ACMru\5603 Count: 3

Deleted, non critical

2)  Spybot search and destroy
-No threats

3)  eWido
-No threats


I also
4)  Asked NOT to enable, show hidden files

Next questions
1)  Am I safe, what else can I do to check?
2)  Was step (4) right?
3)  Why did I get the infection and what can I do to safeguard?
4)  I have ONE anti virus (Synametc) and FOUR spyware programs
-Ad aware 2007
-Spybot search and destroy
-Ewido
-AVG

-Should I set up a routine schedule?
-What about deleting, is it bad to have all of these and which ones should go?

Thanks.

[CBMatt]

Nice to see someone actually asking some productive questions!  And thanks for all of the details of the steps you took.  You log now looks clean to me.  Are you still experiencing any problems?

1)  Did I do this correct?
-I did some browsing once in safe mode and before the last hijack this, could that have changed things again?

Yes, you did a good job.  Don't worry about anything that didn't turn up; it most likely means your anti-virus/spyware scans got rid of some of the infected files.

2)  Is this CPU safe and if not resolutions?
-The CPU is running much better but could still be somewhat improved

I assume you mean PC (personal computer).  A CPU is a central processing unit.  In any case...it's definitely a lot safer than before.  What sorts of improvements do you need?

3)  In the future what can I do to detect and prevent this from occuring, if we are out of the woods?

The most important thing is to keep all of your protection updated and scan with it on a regular basis, preferrably in Safe Mode.  You also need to be careful with what you download and what sites you visit.  Discretion and common sense play a big role.  Also, make sure you have Java.

1)  Am I safe, what else can I do to check?

As long as you have the internet, you are never completely safe from infections.  However, you can build up a good defense against them with anti-virus, anti-spyware, and a firewall.  You should also clean out your System Restore files...

1.  Go to Start > Programs > Accessories > System Tools > System Restore
2.  Click on System Restore Settings.
3.  Check Turn off System Restore and click OK.
4.  Restart your computer.
5.  Follow steps 1 and 2 to return to the settings, uncheck Turn off System Restore, and click OK.
6.  Create a new restore point and close the program.

System Restore will now be active again.  If you would like to learn more about System Restore, go here.

2)  Was step (4) right?

Yes, that's fine.  Once the files are gone, you no longer need to see hidden files and folders.

3)  Why did I get the infection and what can I do to safeguard?

Very good question.  You would definitely benefit from reading Tony Klein's article: So how did I get infected in the first place?

4)  I have ONE anti virus (Synametc) and FOUR spyware programs
-Ad aware 2007
-Spybot search and destroy
-Ewido
-AVG

-Should I set up a routine schedule?
-What about deleting, is it bad to have all of these and which ones should go?

You absolutely should have a routine schedule.  I suggest running scans at least once a week.  Pick a day when the computer won't have much activity, and just leave it alone for awhile during the scans.  It's actually a good idea to have a few anti-virus programs.  And it's a good idea to have only one active anti-virus program.  Personally, I'm not a big fan of Symantec, so I would suggest replacing it with AVG Anti-Virus (not the same as Anti-Spyware).  Or at least keep it around as a backup.  And a firewall is also very important.


Do you have anymore questions?
How's everything running?

[tberg224]

1)  Of course I got more questions, but I'll ask later

2)  Last night symnatec came up with four more threats, I didn't copy them, BUT one of them was a trojan horse, basically the same problems as before.
I took care of them but nonetheless I am concerned because I thought they were all gone AND the browser is running slower.

What can I do to see if everything is cleared or what do you think?

3)  Did you mean you only need ONE active virus protecter, with ONE backup, and only ONE active spyware in addition?
Basically what should I do with all the spyware's I have, in terms of how many to keep.
Any reason why the more NOT the merrier?

Thanks.

[CBMatt]

3)  Did you mean you only need ONE active virus protecter, with ONE backup, and only ONE active spyware in addition?
Basically what should I do with all the spyware's I have, in terms of how many to keep.
Any reason why the more NOT the merrier?

Multiple anti-spyware programs are good.  Multiple anti-virus programs are not.  When you have more than one active anti-virus, they tend to *censored* heads and fight for power.  This results in them often not properly detecting and removing infections.  Anti-spyware often isn't active, so this normally isn't a problem.  So, when it comes specifically to anti-virus, you should have one active program and one inactive program (not set to autolaunch or auto-scanning).  Like I suggested, you should have AVG's Anti-Virus.  I feel that it is superior to Norton/Symantec, which might not be detecting the infections properly.  AVG Anti-Virus (not the Anti-Spyware) needs to be updated and allowed to scan in Safe Mode.  Then go ahead and post a new HijackThis log.



Also...Download ComboFix and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here.  Note: Don't click on the window while it's running; this may cause stalls.

[tberg224]

Alright, well I'm very frustrated and concerned, we got a couple of problems.

1)  When I went on the computer last night, it was horrible.  The computer was crashing, running so slow from the beginning it was unusable.

2)  Symnatec popped up and showed that five viruses had been deteched, the same five which have been popping up for almost a week.

3)  Today after giving up on the computer last night, it was much the same.  I was able to do a spyware scan on all four (ad aware, spybot, ewido, and spybot).
-Only ad aware came back with one, it was minor and the same thing as a few days ago

4)  I also went onto CClean
-Ran, cleaned, and then analzyed
Afterwards it ran MUCH faster, although it still crashed at one moment

5)  I ran the combofix and hijack this, and have posted the logs below
-Combofix could NOT fit onto one post due to character lengths, it is split.

6)  I really would like to know what is going on with my computer?
Specifically why it runs fine, clean, only to have the same viruses reappear, run slow, until the Cclean runs.
Speaking on that do I need to keep Cclean, Hijack this, the logs, and all FOUR spywares?
The AVG is the only active.

Let me know what the deal is and what I need to do to stop it from crashing, being infected by any and the same viruses.
Do you think we should correspond here, AIM, or PM?

[tberg224]

Combofix
"Trent Berger" - 2007-07-04  2:27:57 - ComboFix 07-07-03.9 - Service Pack 2 


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\TRENTB~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\TRENTB~1\APPLIC~1.\winantispyware 2007 free
C:\DOCUME~1\TRENTB~1\APPLIC~1.\winantispyware 2007 free\DownloadUWAS7.url
C:\DOCUME~1\TRENTB~1\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\Documents and Settings\TRENTB~1.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\poolsv
C:\Program Files\winantispyware 2007
C:\Program Files\winantispyware 2007\AutoProcess.dat
C:\Program Files\winantispyware 2007\monstate.dat
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\56ccc9c57fd542224ad31fa4\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\56ccc9c57fd542224ad31fa4\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\56ccc9c57fd542224ad31fa4\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\92b5462943ac484fb20fb082\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\92b5462943ac484fb20fb082\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\92b5462943ac484fb20fb082\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\9ced1eb8879248a5d13e4f9c\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\9ced1eb8879248a5d13e4f9c\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\9ced1eb8879248a5d13e4f9c\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\9ced1eb8879248a5d13e4f9c\Trent Berger
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\be1feca71ff54c87a24b52bb\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\be1feca71ff54c87a24b52bb\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\be1feca71ff54c87a24b52bb\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\678bb1245d994f3140fceb85\be1feca71ff54c87a24b52bb\Trent Berger
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\0fe2c5d9b2a341a424103ab7\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\0fe2c5d9b2a341a424103ab7\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\0fe2c5d9b2a341a424103ab7\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\360458fb5c8740bb4f171c8a\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\360458fb5c8740bb4f171c8a\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\360458fb5c8740bb4f171c8a\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\8ce87c5dc104427f4adaada1\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\8ce87c5dc104427f4adaada1\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\8ce87c5dc104427f4adaada1\#name
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\95fbdc7ce6c54846bcf11fa8\#data
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\95fbdc7ce6c54846bcf11fa8\#internal
C:\Program Files\winantispyware 2007\RTMonitor.dat\f0fa576d7278497d4ba212a8\744a75e08a194212163bf9b0\95fbdc7ce6c54846bcf11fa8\#name
C:\Program Files\winantispyware 2007\scanlog.xml
C:\Program Files\winantispyware 2007\Summary.dat
C:\Program Files\winantispyware 2007\tasks.dat
C:\Program Files\winantispyware 2007\threatnet.dat
C:\Program Files\wnsxs~1
C:\temp\iee
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\wr.txt


(((((((((((((((((((((((((   Files Created from 2007-06-04 to 2007-07-04  )))))))))))))))))))))))))))))))


2007-07-04 02:23   51,200   --a------   C:\WINDOWS\nircmd.exe
2007-07-02 02:54   <DIR>   d--------   C:\Program Files\CCleaner
2007-06-30 15:01   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-28 04:22   1,060,864   --a------   C:\WINDOWS\system32\mfc71.dll
2007-06-15 02:44   <DIR>   d--------   C:\Program Files\iTunes
2007-06-15 02:44   <DIR>   d--------   C:\Program Files\iPod
2007-06-08 16:04   <DIR>   d--------   C:\Program Files\Lavasoft
2007-06-08 16:04   <DIR>   d--------   C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-08 16:03   <DIR>   d--------   C:\Program Files\Common Files\Wise Installation Wizard
2007-06-04 15:18   9,344   --a------   C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17   8,320   --a------   C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14   6,272   --a------   C:\WINDOWS\system32\drivers\AWRTPD.sys


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-04 16:25:52   17,634   ----a-w   C:\WINDOWS\system32\nvModes.dat
2007-07-04 06:02:54   --------   d-----w   C:\Program Files\Symantec AntiVirus
2007-07-02 03:31:59   4,755   ----a-w   C:\WINDOWS\mozver.dat
2007-06-30 05:42:23   --------   d-----w   C:\DOCUME~1\TRENTB~1\APPLIC~1\Wal-Mart Digital Photo Manager
2007-06-30 04:50:34   --------   d-----w   C:\Program Files\Google
2007-06-21 23:35:29   --------   d-----w   C:\Program Files\America Online 9.0
2007-06-15 06:42:27   --------   d-----w   C:\Program Files\QuickTime
2007-06-15 06:39:49   --------   d-----w   C:\Program Files\Apple Software Update
2007-06-11 20:21:02   --------   d-----w   C:\Program Files\Common Files\AOL
2007-05-25 19:47:21   --------   d-----w   C:\Program Files\Kap.GRETests
2007-05-16 15:12:02   683,520   ------w   C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15   144,896   ------w   C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23   2,854,400   ----a-w   C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36   33,624   ----a-w   C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54   1,710,936   ----a-w   C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48   549,720   ----a-w   C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42   325,976   ----a-w   C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36   203,096   ----a-w   C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28   92,504   ----a-w   C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20   53,080   ----a-w   C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20   43,352   ----a-w   C:\WINDOWS\system32\wups2.dll
2007-04-13 19:19:52   7,680   ----a-w   C:\WINDOWS\system32\lsdelete.exe
2007-04-13 17:31:03   103,984   ----a-w   C:\WINDOWS\system32\AOLDial.dll


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))