I clicked on an MSN Messenger message from some I know for a file" Linksys-gaming.EE.P/ Sexyblonde.JPG "( Not sure if the characters are all correct. Then I had a difficult time accessing the internet. When starting up, a filewould display to install: avgsrv.exe C:Windows\System 32. AVG found C;\MyDocuments\Steve\7666. AVG also found Trojan Horse Pakes.U I also ran a partial Kaspersky online scan and it displayed " VIRUS.Win9x.CIH & HOAX.Win32.BadJoke.Stupen.C. This computer is hardwired into a wireless router. I have since installed Spybot.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:31 PM, on 22/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Windows\Debug\csrss.exe
C:\Windows\system32\nvscv32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tnt21.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ÿÿÿ�4|ðþ] C:\Windows\system32\avgsrv.exe
O4 - HKLM\..\Run: [Microsoft Windows Driver Manager] C:\Windows\Debug\csrss.exe
O4 - HKLM\..\Run: [Enabled:%s] C:\Windows\system32\nvscv32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6932 bytes

I just checked AVG and Trojan Horse PSW.Agent.XRM is also in the virus vault.

hi,


I clicked on an MSN Messenger message from some I know for a file"
email addresses/spoofing is trivial. distributing malware via click on files/links is also very popular, after all who can resist a "sexyblonde" photo, right? Its a almost guaranteed click every time.

to help show all files you can do this:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

I would like to get one of the files. You can navigate to:
C:\Windows\system32 and see if you can locate:

avgsrv.exe

If you find it you can go to the link below, browse for the file again and upload it to the site. If you cant find it in on your machine dont worry about it,

link:
http://www.bleepingcomputer.com/submit-malware.php?channel=67

-----------------------------------------
first we will use hjt:

start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

O4 - HKLM\..\Run: [ÿÿÿ�4|ðþ] C:\Windows\system32\avgsrv.exe

O4 - HKLM\..\Run: [Microsoft Windows Driver Manager] C:\Windows\Debug\csrss.exe

O4 - HKLM\..\Run: [Enabled:%s] C:\Windows\system32\nvscv32.exe

--------------------------------
Next we will get a download to use. Link and directions below:

Please download Malwarebytes' Anti-Malware (MBAM) to your desktop:

http://www.malwarebytes.org/mbam.php

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click **Remove Selected.**
*A restart may be required to finish the clean up process*
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

please post the MBAM log in reply'

Last: you can do a online scan here:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

I "selected show hidden files" and overlooked the next two unchecks- however after I did the HJT, Malware, esetonline, I started over again, found the file and posted it to the link at bleeping computer. It had the modified date at approx the time I had clicked on that file.
The first run was plastered with the Trojan.VLOG and seemed to be deleted. After finding avgsrv.exe, I repeated the whole process and found no further viruses.
Restart was not requested after MBAM.
***
Malwarebytes' Anti-Malware 1.34
Database version: 1799
Windows 5.1.2600 Service Pack 3

24/02/2009 3:41:19 PM
mbam-log-2009-02-24 (15-41-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116168
Time elapsed: 29 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3b8fb116-d358-48a3-a5c7-db84f15cbb04} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\webmedia.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Toolbar (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Steve\Desktop\4AAFF1940CB24380\4AAFF1940CB24380.x86 (Rootkit.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\Debug\6694.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Debug\7253.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Debug\csrss.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\My Documents\My Music\My Music.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\My Documents\My Pictures\My Pictures.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\My Documents\My Videos\My Video.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\My Documents\My Documents.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\Steve\Favorites\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\Run Virus Scan.url (Trojan.Zlob) -> Quarantined and deleted successfully.

***
ESET
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3886 (20090224)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=97c156f80bb39d4d9c620603447304b4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-24 10:48:53
# local_time=2009-02-24 05:48:53 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 3
# scanned=333100
# found=0
# scan_time=2123

Questions:
What do I do about:
C:\Documents and Settings\Steve\Desktop\4AAFF1940CB24380
It showed up on the desktop.

The Spybot teatimer was on. Was that OK?

There are still 2 viruses in the AVG virus vault- Trojan horse Pakes.U & Trojan horse PSW.Agent.XRM. Should I clean them out now?

Is the avgsrv.exe in System 32 OK?

Its great to be able to get help like this .

hi,

ok thanks for the info.


What do I do about:
C:\Documents and Settings\Steve\Desktop\4AAFF1940CB24380
It showed up on the desktop.

You can delete it off your desktop


There are still 2 viruses in the AVG virus vault-
You can empty the vault. They are harmless once in the vault.


Is the avgsrv.exe in System 32 OK?

The .exe requests a outgoing connection to what looks like a IRC game server.Ever play Unreal on line? this info didnt format to well but you can see the word unreal in there:


0000 3a 31 32 37 2e 30 2e 30 2e 31 20 4e 4f 54 49 43 :127.0.0.1 NOTIC
0010 45 20 41 55 54 48 20 3a 2a 2a 2a 20 46 6f 75 6e E AUTH :*** Foun
0020 64 20 79 6f 75 72 20 68 6f 73 74 6e 61 6d 65 0d d your hostname.
0030 0a 3a 31 32 37 2e 30 2e 30 2e 31 20 30 30 31 20 .:127.0.0.1 001
0040 4e 41 53 41 7c 55 53 41 7c 58 50 7c 32 37 34 31 NASA|USA|XP|2741
0050 34 36 20 3a 57 65 6c 63 6f 6d 65 20 74 6f 20 74 46 :Welcome to t
0060 68 65 20 20 20 49 52 43 20 4e 65 74 77 6f 72 6b he IRC Network
0070 20 4e 41 53 41 7c 55 53 41 7c 58 50 7c 32 37 34 NASA|USA|XP|274
146!Nasa@(removed ip)

x.net..:127.0.0.
00b0 31 20 30 30 32 20 4e 41 53 41 7c 55 53 41 7c 58 1 002 NASA|USA|X
00c0 50 7c 32 37 34 31 34 36 20 3a 59 6f 75 72 20 68 P|274146 :Your h
00d0 6f 73 74 20 69 73 20 31 32 37 2e 30 2e 30 2e 31 ost is 127.0.0.1
00e0 2c 20 72 75 6e 6e 69 6e 67 20 76 65 72 73 69 6f , running versio
00f0 6e 20 55 6e 72 65 61 6c 33 2e 32 2e 37 0d 0a 3a n Unreal3.2.7..:
0100 31 32 37 2e 30 2e 30 2e 31 20 30 30 33 20 4e 41 127.0.0.1 003 NA
0110 53 41 7c 55 53 41 7c 58 50 7c 32 37 34 31 34 36 SA|USA|XP|274146
0120 20 3a 54 68 69 73 20 73 65 72 76 65 72 20 77 61 :This server wa
0130 73 20 63 72 65 61 74 65 64 20 57 65 64 20 53 65 s created Wed Se
0140 70 20 33 20 32 30 30 38 20 61 74 20 31 31 3a 31 p 3 2008 at 11:1

Please rescan and post a new hjt log.

first 2 items done and attached fresh logfile.
My hard drive was replaced recently with a new one. I had played several versions of registered Unreal, Half-life etc but not with this hard drive.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:08:55 PM, on 24/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tnt21.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6931 bytes

hi,

If data was transferred from one drive to the other then thats the source. Its possible those files were not removed with a uninstall of Unreal or some other software from the origianl drive.
Dont see them in the hjt log anymore. You can take a look in the system32 dir and delete these if you spot them:

avgsrv.exe
nvscv32.exe

Other than that hows it looking on your end now?

The same MSN message has not been sent to other contacts in my MSN contacts anymore, that I have seen. I had informed the contacts I knew that were affected, including the originator. Some had complained but not clicked on it after my warning. I believe its fixed just by that. I'm not sure to trust Paypal or online banking?
I'll gladly delete those 2 files if they dont affect the system. What are their purpose?
And should I check 'hide protected operating system files' and 'hide extensions for known file type' that were unchecked to find the problem.

There was data transferred from selected files to the new hard drive and, you're right, it must have been in a folder somewhere like My photos, etc?
Really appreciate your time in helping me out.

hi,

ok thanks for the info.

I'll gladly delete those 2 files if they dont affect the system. What are their purpose?

you can delete them if present. They established connections with irc servers.


And should I check 'hide protected operating system files' and 'hide extensions for known file type' that were unchecked to find the problem.

you can leave them unchecked to look for the files, then once done you can check them both or leave them as is, up to you. the fact that they are called "hidden" is really of no security value.


I'm not sure to trust Paypal or online banking?
you can change your passwords and monitor all transactions for a few weeks or longer.

Check MBAM for updates and scan once more and post the log

Hi,
I deleted the two files and heres a fresh log:

Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 5.1.2600 Service Pack 3

26/02/2009 7:43:07 PM
mbam-log-2009-02-26 (19-43-07).txt

Scan type: Full Scan (C:\|)
Objects scanned: 116363
Time elapsed: 31 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Looks pretty good, shelf life.

hi sjolley,

I think it looks pretty good to. You can keep malwarebytes. Has to be manually updated. The paid version offers auto updates and real time protection.
If all is good on your end then I leave you with some tips for reducing your risk to malware.

Reducing Your Risk To Malware:
The Short Version:

1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" possible vulnerabilities that could be exploited.

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. Do not install any files from ads, links or popups.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. Scanning frequency is a function of your computer habits.

4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.

5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?

7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*

8) Install and know the limitations of a software firewall.

9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)

10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?

A longer version in link below.

Happy Safe Surfing.